TEMP.Zagros, active since at least May 2017, engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia

TEMP.Zagros, an Iran-nexus actor, leveraged the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. It has been discovered bycybersecurity researchers through FireEye’s Dynamic Threat Intelligence. The cyber group has been active since at least May 2017 and engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor that FireEye tracks as POWERSTATS. One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

FireEye: The Iranian hackers launched the cyber aggressive campaign in two parts

The Iranian hackers of TEMP.Zagros has launched the cyber aggressive campaign in two parts. In the first (From Jan. 23, 2018, to Feb. 26, 2018), based on what FireEye discovered, they used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe. Moreover, the VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree. But its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it.

The Infection Vector of all cyber-attacks are macro-based documents sent as an email attachment

The second part of the TEMP.Zagros cyber malicious campaign (from Feb. 27, 2018, to March 5, 2018) used a new variant of the macro. It does not use VBS for PowerShell code execution. Instead, one of the recently disclosed code execution techniques leveraging INF and SCT files. The Infection Vector of all cyber-attacks are macro-based documents sent as an email attachment. The malicious files appear to have been specially crafted by the iranian hackers for individuals in 4 countries: Turkey, Pakistan, Tajikistan and India. Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server.

The integral FireEye post on TEMP.Zagros Iranian hackers group