FireEye’s Dynamic Threat Intelligence has noted that attackers are posing increased threat levels through the distribution of malicious macro-based documents to individuals in Asia and the Middle East. This activity has been attributed to TEMPZagros (reported by Palo Alto as MuddyWater), an Iranian threat group that has been active since May 2017. This Iranian threat group has upgraded its Tactics, Techniques, and Procedures (TTPs) in an advanced spear phishing campaign targeted within Asia over the last month.
The group sends out malicious Microsoft Office documents as email attachments, especially aimed at individuals in Pakistan, India, Tajikistan, and Turkey. The documents falsely appear to be from key national institutions such as the Ministry of Internal Affairs of the Republic of Tajikistan or the National Assembly of Pakistan.
TEMPZagros’ commonly used tactics include sender impersonation and email personalization to breach an organization’s defences, before installing a backdoor system to provide ongoing access. TEMPZagros constantly updates their malware, incorporating the latest code execution and persistence mechanism techniques. This enables the actor to evade detection and gain control of target computers, including the ability to entirely reboot systems.
“Large organizations should be alert to these attacks, which could be extremely disruptive and costly. We advise users to protect themselves from such attacks by disabling Office macros in their settings immediately and by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources,” explained Alister Shepherd, the MEA Director for Mandiant at FireEye.