ACCORDING to Broadcom's Symantec and Carbon Black Threat Hunter Team, new evidence shows an Iranian hacking group embedding itself in several U.S. organisations’ networks, including banks, airports, a non-profit, and a software company with an Israel operation. The activity is attributed to MuddyWater (also known as Seedworm), a state-sponsored group affiliated with the Iranian MOIS, with the campaign beginning in early February and following U.S. and Israeli strikes on Iran.
The attackers laid groundwork in the networks of the software company, a U.S. bank, and a Canadian non-profit to pave the way for a previously unknown backdoor named Dindoor, which uses the Deno JavaScript runtime for execution; there was also an attempt to exfiltrate data to a Wasabi cloud storage bucket via the Rclone utility.
In the same environments, a separate Python backdoor named Fakeset was found, downloaded from Backblaze servers, and its signing certificate has been used to sign Stagecomp and Darkcomp malware linked to MuddyWater.