Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
The SeedWorm APT group, aka MuddyWater, resurfaced with cyber-attacks across continents, mostly infecting Telecommunications and IT services.
IMPACT: MEDIUM
PUBLISH DATE: 12-DEC-2018
OVERVIEW
Using new variants of their Powermud backdoor called Backdoor.Powemuddy, the SeedWorm APT steals passwords, creates reverse shells, escalates privilege, and uses native Windows cabinet creation tool makecab.exe, for compressing stolen data to be uploaded.
ANALYSIS
Backdoor.Powemuddy is a Trojan horse that opens a backdoor on the compromised computer. It may also download potentially malicious files.
Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.
The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.
The threat actors dig up actionable information about their targets, meanwhile preferring speed over operational security. The first trace of this threat actor was a public Github repository containing scripts that very closely match those observed in Seedworm operations.
One of the PowerShell scripts in the Github repository has been run on victim hosts in activity attributed to Seedworm. Many Crackmapexec PowerShell commands matching the victim host activity have also been found.
ATTACK TARGETS
Following is a break-down of countries that have been affected by SeedWorm.
Following is a break down of industries that have been affected by SeedWorm.
INDICATORS OF COMPROMISE
When the Trojan is executed, it creates the following files:
The Trojan opens a backdoor on the compromised computer and connects to the following command and control (C&C) servers:
MITIGATION
Below are some Symantec recommendations against the SeedWorm APT.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.