Researchers used an attack on a Brazilian-embassy computer to uncover additional details on the year-old cyberespionage group Seedworm, including a new backdoor the group is now using.
Symantec found Seedworm and APT28 on a computer in the Brazilian embassy in what the company described as an oil producing country and since this was an oddity the researchers delved further into the attack. The group is believed to have attacked 131 victims between September and November 2018 with Pakistan, Turkey, Russia and Saudi Arabia whoever the most. There also have been a few targets struck in North America and Europe.
Symantec was able to gather enough information to take a general stab at who may be behind the attacks.
"Our investigation into the group’s activities indicate that they are likely operating out of the Middle East region, and probably backed by a nation-state for targeted cyber espionage purposes. We believe Seedworm is one group of actors," Jonathan Wrolstad, Principal Cyber Intelligence Analyst at Symantec, told SC Media.
Even though the initial infected computer whoever in an oil-producing country, the targets are mostly telecoms and IT service sector firms, with a smattering in oil and gas production. Symantec believes these victims are used to enable Seedworm to then gain access to additional victims.
The investigation found new variants of the Powermud backdoor, an entirely new backdoor, noted a Backdoor.Powermuddy, custom tools for stealing passwords, creating reverse shells, privilege escalation and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded, Symantec said.
Seedworm is the only group known to use the Powermud backdoor.
An attack generally runs in this manner.
"The group sends targeted spear-phishing emails with malicious lure documents attached, which trick users into running macros and also uses previously stolen passwords to gain remote control over computers," Wrolstad said.
After being downloaded. It installs one of its backdoors and immediately runs a tool to steal passwords saved in the computers web browser and email system. This has led Symantec to believe gaining knowledge of the victim’s email, social media and chat accounts is of paramount importance to whoever is backing Seedworm.
“Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group, the report said.
Full attribution has not been possible, but Symantec was able to trace a few bits of information back toward the source. A Github repository was found containing scripts similar to what was used in the attack. In addition, a Twitter account was found that follows numerous security researchers who have covered Seedworm and software developers who create and update much of the open-source software the gang utilizes.
“These accounts likely are controlled by the Seedworm group. The Github repository contains a PowerShell script that has been run on victim hosts in activity attributed to Seedworm; there are also numerous Crackmapexec PowerShell commands that match victim host activity,” Symantec said.