The SeedWorm APT group, aka MuddyWater, resurfaced with cyber-attacks across continents, mostly infecting Telecommunications and IT services.
PUBLISH DATE: 12-DEC-2018
Using new variants of their Powermud backdoor called Backdoor.Powemuddy, the SeedWorm APT steals passwords, creates reverse shells, escalates privilege, and uses native Windows cabinet creation tool makecab.exe, for compressing stolen data to be uploaded.
Backdoor.Powemuddy is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.
Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.
The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.
The threat actors dig up actionable information about their targets, meanwhile preferring speed over operational security. The first trace of this threat actor was a public Github repository containing scripts that very closely match those observed in Seedworm operations.
One of the PowerShell scripts in the Github repository has been run on victim hosts in activity attributed to Seedworm. Many Crackmapexec PowerShell commands matching the victim host activity have also been found.
Following is a break-down of countries that have been affected by SeedWorm.
Following is a break down of industries that have been affected by SeedWorm.
INDICATORS OF COMPROMISE
When the Trojan is executed, it creates the following files:
The Trojan opens a backdoor on the compromised computer and connects to the following command and control (C&C) servers:
Below are some Symantec recommendations against the SeedWorm APT.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to firstname.lastname@example.org.