skip to Main Content

Cyber Espionage, Iran targets Middle East-Asia TLC Operators

Symantec: Iran targets Middle East-Asia TLC Operators. The MuddyWater APT (MERCURY, SeedWorm and TEMP.Zagros) used legitimate tools, publicly available malware, and living-off-the-land tactics

The Iranian APT MuddyWater (aka MERCURY, SeedWorm and TEMP.Zagros) targeted Middle East and Asia telecom operators for cyber espionage purposes. It has been revealed by Symantec cybersecurity experts. The campaign has made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. After breaching a network, the attackers attempt to steal credentials and move laterally across it. They seem particularly interested in Exchange Servers, deploying web shells onto them. In some cases, they may be using compromised organizations as stepping stones to additional victims. Furthermore, some targets may have been compromised solely to perform supply-chain-type attacks on other organizations. In most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A suspected ScreenConnect setup MSI, delivered in the zipped file “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.

Back To Top