Experts at FireEye have uncovered a new massive phishing campaign conducted by TEMP.Zagros group. This group is targeting Asia and Middle East regions. These Iranian hackers were most active in this period, researchers uncovered a new massive phishing campaign targeting Asia, South Asia and Middle East regions.

The group behind the campaign is known as TEMP.Zagros, aka MuddyWater, and according to the experts it is now adopting new tactics, techniques, and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017.” reads the analysis published by the experts at FireEye. “This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.”

The TEMP.Zagros was first spotted by researchers at Tier3 back in 2017, the hackers targeted various industries in several countries with spear-phishing messages. These attackers used malware ridden documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

Last week expert at Trend Micro also attributed the new wave of attacks to the MuddyWater threat actor.

“We have discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia.” states the analysis published by Trend Micro.

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the command and control (C2) server.

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

The campaign started in January involved a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command.The Base64 encoded PowerShell command will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe. Attackers used a differed VBS script for each sample, employing different levels of obfuscation and different ways of invoking the next stage of the process tree.

Starting from Feb 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files. Researchers also found Chinese strings in the malicious code used by TEMP.Zagros that were left as false flags to make hard the attribution.