Iran-Linked Group ‘TEMP.Zagros’ Updates Tactics, Techniques In Latest Campaign

Researchers say a massive phishing campaign targeting Asia and Middle East regions is linked to an Iranian-based threat actor TEMP.Zagros, also known as MuddyWater. This latest attack illustrates an evolution by the threat actor, which has now adopted new tactics, techniques and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East,” wrote FireEye researchers in a blog post Tuesday.

FireEye’s discovery builds off previous research into the group by Palo Alto Networks, Unit 42 and Trend Micro. In November, Unit 42 first wrote about TEMP.Zagros (or MuddyWater) noting the attacks hit various industries in several countries, primarily in the Middle East and Central Asia, and lured victims to download infected documents and compromise their computer networks.

On Monday, Trend Micro reported similarities between the MuddyWater campaign and these new attacks, stressing that the link signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries.

In the FireEye report, researchers assert that this latest wave of phishing attacks is a new strategy for TEMP.Zagros. The group has also adopted new tools such as POWERSTATS for backdoors and techniques such an as AppLocker bypass, researchers said.

“In this campaign, the threat actor’s tactics, techniques and procedures shifted after about a month, as did their targets,” according to the co-authors of the FireEye report Sudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe and Ben Read.

According to FireEye, this latest campaign has been running from January through March. Similar to past the campaigns reported in November, the threat actor sent out phishing emails featuring malicious macro-based documents via email. FireEye said that these spearphishing emails typically have geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology (established by the Reserve Bank of India).

“Given the type of entities targeted, we believe this activity is strategic in nature, primarily conducting reconnaissance and collection operations for geopolitical, defense, and economic data that could support nation-state interests and decision making,” Sarah Hawley, principal analyst at FireEye, told Threatpost.

When successfully executed, the malicious documents installed a backdoor trackable with POWERSTATS, researchers said.

“Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server,” said FireEye’s report.

“One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.”

Starting Jan. 23, the actor used a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command, task-based command-line shell and scripting language that is designed for system admins and power-users so that they can quickly automate the administration of multiple operating systems.

“Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it,” according to FireEye’s report.

The actor then switched techniques starting Feb. 27 and started using a scriptlet code execution method that leverages plain-text Setup Information (INF) files and scriptlet (SCT) files in an attempt to evade security products.

If executed, the phishing email’s malicious Word macro triggers the dropping of three files onto the target’s PC (C:\programdata). These files are malicious JavaScript-based scriptlet Defender.sct, DefenderService.inf and WindowsDefender.ini.

The Defender.sct file, which uses obfuscated JavaScript code, then executes a decoded PowerShell Script to perform several malicious activities. The PowerShell script is able to retrieve the data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables. It also has the capabilities of taking screeenshots of the system desktop, checking for the presence of security tools and shutting down the system if any tools are detected.

Targeted countries include Turkey, Pakistan, Tajikistan, and India. FireEye told Threatpost that a combination of the targeting scope, use of malicious macros, similarly-themed decoy materials, and POWERSTATS malware led them to link TEMP.Zagros to the campaign. Hawley said that FireEye also found Chinese strings that it believes were left as false flags to complicate attribution efforts.

“These factors, as well as the operation’s focus on geopolitical entities and targeting scope led us to assess with moderate confidence that this activity has a nexus to Iran,” said Hawley.