Search This Blog

Showing posts with label Data Extortion. Show all posts

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.