Iranian hackers are employing new spyware that targets Telegram Messenger API

An Iranian geopolitical nexus threat actor deployed two new targeted malware with basic backdoor features as part of an attack on an unidentified Middle Eastern government body in November 2021.

According to cybersecurity firm Mandiant, an unclassified cluster that goes under the pseudonym UNC3313, associated with the MuddyWater state-sponsored gang, is responsible for the attack.

Telegram Virus

In order to get initial access, the attacks are believed to have been planned via spear-phishing emails, followed by using publicly accessible offensive security tools and remote access software.

Multiple victims were tricked into clicking a URL to download a RAR archive file housed on OneHub by receiving phishing emails posing as job promotion offers. This opened the door for the installation of ScreenConnect, a legitimate remote access program, that provided initial access.

Using ScreenConnect, UNC3313 swiftly established remote access to infiltrate computers within an hour of the first infection, researchers explain. As the attack progressed, the attackers used disguised PowerShell commands to download new tools and payloads to distant computers, as well as to increase their access rights and perform internal reconnaissance on the targeted network to collect more information.

STARWHALE, a Windows Script File (.WSF) that executes orders received through HTTP from a hardcoded command-and-and-control (C2) server, was also found to be a backdoor.

After evading discovery for a while, a second implant named GRAMDOOR was introduced throughout the attack, which uses the Telegram API to communicate with the attacker-controlled server in order to avoid detection.

Researchers claim that UNC3313 performs surveillance and collects strategic intelligence to assist Iranian interests and decision-making. According to the study, a considerable concentration on geopolitical nexus targets may be seen in the targeting patterns and accompanying lures used by the gang.

In the middle of January 2022, U.S. intelligence agencies described MuddyWater (also known as Static Kitten, Seedworm, TEMP.Zagros, or Mercury) as an Iranian Ministry of Intelligence and Security (MOIS) subordinate that has been active since at least 2018 and is known to use a wide range of malicious tools and techniques in its operations.

New combined cybersecurity warnings from the United Kingdom and the United States accuse MuddyWater of espionage strikes on the military, local government, and oil and natural gas industries all around the world.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment