Cybereason released new reports this week sharing discoveries made by our researchers related to two different Iranian threat actors. One of the keys to giving Defenders the tools they need to reverse the adversary advantage is understanding how attackers think and the tools they use—which is why research into emerging tactics and techniques is essential.
These campaigns highlight the blurred line between nation-state threat adversaries and cybercrime threat actors. Ransomware gangs often employ APT-like tactics to infiltrate across as much of a targeted network as possible without being detected, while APT groups increasingly leverage cybercrime tools and exploits like ransomware as a distraction to cover the tracks of more nefarious geopolitical goals. In some cases, nation-states and cybercriminals cooperate, or coordinate efforts as the ongoing Cyber Cold War gets warmer.
The StrifeWater RAT
Our researchers discovered a previously undocumented remote access trojan (RAT), dubbed “StrifeWater.” The exploit is attributed to Moses Staff—a known Iranian threat actor. The Moses Staff APT group has previously targeted organizations in countries around the world to exfiltrate sensitive data on behalf of the Iranian government. The group typically deploys destructive ransomware once they have what they are looking for in an effort to complicate incident response and forensic investigation.
The PowerLess Backdoor
Cybereason researchers also found a new set of tools from another Iranian APT—the Phosphorus Group. Researchers identified a novel PowerShell-based backdoor, dubbed “PowerLess”. What is most intriguing about the PowerLess Backdoor is that it runs in the context of a .NET application to avoid detection by security tools that monitor for the execution of “powershell.exe”. It is also notable that our researchers discovered that one of the IP addresses associated with the PowerLess Backdoor is also being used as command and control (C2) for the recently discovered Memento ransomware.
Threat Actor Motive Is Irrelevant for Defenders
Both of these reports are examples of the ways that nation-state adversary and cybercrime threat actor tactics have converged. One is using a destructive payload designed to look like ransomware in order to obfuscate the attack and hamper forensic investigation, while the other appears to have a direct connection with an active ransomware family.
While researchers uncovered novel and innovative techniques from both threat actors, they also uncovered that both also take advantage of well-known tools and weaknesses. Both threat actors abuse multiple open source tools in their campaigns, and the Phosphorus Group, in particular, actively exploits the ProxyShell vulnerabilities in Microsoft Exchange and the Log4Shell vulnerabilities in Apache.
There is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations for Defenders in the private sector. That’s why it is crucial for us as Defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats.
The reality is that it doesn’t matter. Defenders have to defend against cyberattacks regardless of the motivation or sophistication of the attacker. Fortunately, the proactive research and threat hunting conducted by Cybereason researchers gives us insight into emerging threats and raises awareness so we can be better prepared to defend against attacks.