Iranian Threat Group Conducting Phishing Attacks in the Middle East

FireEye’s Dynamic Threat Intelligence has noted that attackers are posing increased threat levels through the distribution of malicious macro-based documents to individuals in Asia and the Middle East. This activity has been attributed to TEMPZagros (reported by Palo Alto as MuddyWater), an Iranian threat group that has been active since May 2017. This Iranian threat group has upgraded its Tactics, Techniques, and Procedures (TTPs) in an advanced spear phishing campaign targeted within Asia over the last month.

The group sends out malicious Microsoft Office documents as email attachments, especially aimed at individuals in Pakistan, India, Tajikistan, and Turkey. The documents falsely appear to be from key national institutions such as the Ministry of Internal Affairs of the Republic of Tajikistan or the National Assembly of Pakistan.

TEMPZagros’ commonly used tactics include sender impersonation and email personalization to breach an organization’s defences, before installing a backdoor system to provide ongoing access. TEMPZagros constantly updates their malware, incorporating the latest code execution and persistence mechanism techniques. This enables the actor to evade detection and gain control of target computers, including the ability to entirely reboot systems.

“Large organizations should be alert to these attacks, which could be extremely disruptive and costly. We advise users to protect themselves from such attacks by disabling Office macros in their settings immediately and by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources,” explained Alister Shepherd, the MEA Director for Mandiant at FireEye.

Show More

Chris Fernando

Chris N. Fernando is an experienced media professional with over two decades of journalistic experience. He is the Editor of Arabian Reseller magazine, the authoritative guide to the regional IT industry. Follow him on Twitter (@chris508) and Instagram (@chris2508).

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button