A hacker group uses a new type of trojans to attack telecom providers and information technology companies, as well as government organizations. The malware has been named Seedworm and has been active since at least 2017.

Seedworm seems to be primarily aimed at infecting organisations in the Middle East. This is where most Seedworm infections occur. However, a number of European and North American organisations have also been affected. In recent months, the group’s activity has increased considerably.

Dozens of victims

That’s what Symantec investigators are reporting. The company states that the hackers, who call themselves MuddyWater, have since last September stolen data from more than 130 victims in 30 companies. The attacks are mainly aimed at stealing passwords from internet accounts, but also include internal communication data and other data.

Seedworm’s latest attack, for example, focused on an oil-producing country’s embassy in Brazil. The attack could be detected because the hackers prefer speed and manoeuvrability to operational safety. In this way, the researchers could see quite easily what exactly was done by the hackers.

Continuously improved

Since MuddyWater became active, Seedworm has been using the back door Powermud, which the hackers have developed themselves. Powermud is continuously updated to prevent it from being detected. Further use is made of the spear-phishing technique.

That’s the main way the malware is planted. Once installed on a system, a number of tools are launched aimed at stealing passwords that users have stored in their web browser and mail accounts. Seedworm also uses open-source tools such as LaZagne and Crackmapexec to gain extensive access to the Windows system.

Fast and not safe

It is striking that the developers of Seedworm use GitHub to store their scripts. This confirms the suspicion that MuddyWater prefers to act quickly and is less concerned about the safety of their work. But there is nothing in the scripts that immediately indicates that these are scripts that are used for malware, according to Jonathan Wrolstad of Symantec versus ZDNet.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.