Iran-Linked Group ‘TEMP.Zagros’ updates tactics, techniques in latest campaign

Big phishing campaign is undergoing in Asia and the Middle East. Responsible for this is an Iranian cyberthreat named TEMP.Zagros or MuddyWater. This cybersecurity problem represents an evolution because new tactics, techniques, and procedures are implemented in it. Various code execution and persistence techniques to distribute malware macro-based documents to individuals in Asia and the Middle East can be observed during this attack.

TEMP.Zagros hit various industries in several countries from the Middle East and Central Asia they managed to do this by luring victims to download infected documents on their computer networks to compromise them.
Compromising company’s computer networks is the most destructive cyber attack that can be done against a business. This is why every company and individual user as well must protect their devices with the latest and best cybersecurity solution. For an individual, the best cybersecurity solution comes in the form of an antivirus for Windows or antivirus for Mac depending on which OS their device is running. For companies, this step represents only the first layer of cybersecurity, to obtain the best cybersecurity measure every company must hire a cybersecurity firm that will attack purpose company’s network to reveal the most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.

TEMP.Zagros adopted new tools like POWERSTATS for backdoors and tactics like AppLocker bypass.
The backdoor trackable with POWERSTATS is deployed as soon as the malicious documents are open.
During our malware analysis, we observed that Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the C&C server
The most exciting discovery that was made during this malware analysis was the re-use of the latest AppLocker bypass, and spreading techniques for indirect code execution. The local machine IP address replaced the IP address in the spreading techniques; by doing this, the malware will ensure that code execution on the system is achieved.

The infected VBS file or INI file are containing a macro-based document that is using a Base64 encoded PowerShell command.
During this attack, cybercriminals used plain-text Setup Information (INF) files, and scriptlet (SCT) files to evade any cybersecurity solution available in the targeted devices.

The Word macros present in every infected files are used to drop three files into every targeted PC in C:\programdata. These files are malicious JavaScript-based scriptlet Defender.set, DefenderService.inf and WindowsDefender.ini.
The Defender.sct file is using obfuscated JavaScript code that will execute a decoded PowerShell Script to perform several malicious activities. The executed PowerShell script can retrieve any data from the system by exploiting Windows Management Instrumentation (WMI) queries and environment variables. The same PowerShell script can take screenshots of the system desktop, check for the presence of any cybersecurity solution and shut down the system if it is detected.

Companies and individuals from Turkey, Pakistan, Tajikistan, and India are targeted by TEMP.Zagros. To stay fully secured and protected, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for windows or antivirus for mac depending on which OS are your machines running.

It is also recommended for every company to hire specialized cybersecurity firms that will perform various tests like a penetration test and various ethical hacking tests to reveal audited company network flaws.
For companies that are operating their activity 100% online, we recommend the using of cyber secure web hosting services.