Iran’s MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor

Several US companies have been targeted by Iranian hacking group MuddyWater in a new campaign that started in early February and has continued after the US and Israeli military strikes on Iran.

The campaign was detected by the Threat Hunter Team at Broadcom’s Symantec and Carbon Black.

The potential victims include a US bank, a US airport, non-governmental organizations in both the US and Canada and the Israeli operation of a US software company that supplies the defense and aerospace sectors. Each of these organizations has experienced suspicious activity on their networks in recent days and weeks, said the Threat Hunter Team in a March 5 report.

The campaign involves a previously unknown backdoor, dubbed ‘Dindoor’ by the cyber threat researchers.

Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater

The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.

Signed with a certificate issued to “Amy Cherne,” this backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute.

The researchers also observed an attempt to exfiltrate data from the software company using Rclone, a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket. It is not clear if this attempt was successful.

A different, Python backdoor called Fakeset was found on the networks of the US airport. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”.

The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, a hacking group active since 2017 and associated with the Iranian Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros and Static Kitten.

The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company.

The Donald Gay certificate was also used to sign a sample from the malware family the researchers track as ‘Stagecomp,’ which downloads the Darkcomp backdoor.

The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.

This malware wasn’t seen on the targeted networks, but the use of the same certificates suggests MuddyWater was involved, said the Threat Hunter Team.

“While we have disrupted these breaches, other organizations could still be vulnerable to attack,” the researchers added.

Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor

Kevin Poireault

Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater

You may also like

Iranian Hackers Secretly Aid Ransomware Attacks on US

US Intelligence Predicts Upcoming Cyber Threats for 2024

Iranian Cyber Threats Persist Despite Ceasefire, US Intelligence Warns

Iranian Cyber Threat Actor Targets Iraqi Government Officials in AI-Powered Campaign

Russian Hacking Group Sandworm Deploys New Wiper Malware in Ukraine

What’s Hot on Infosecurity Magazine?

AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns

Coruna Exploit Kit Targets Older iPhones in Multi-Stage Campaigns

Iranian Cyber Threat Actor Targets Iraqi Government Officials in AI-Powered Campaign

ContextCrush Flaw Exposes AI Development Tools to Attacks

Europol Operation Seizes LeakBase Data Breach Site

Coalition of Western Countries Launches 6G Cybersecurity Guidelines

Expect Iran to Launch Cyber-Attacks Globally, Warns Google Head of Threat Intel

Iranian Cyber Threat Actor Targets Iraqi Government Officials in AI-Powered Campaign

North Korea's APT37 Expands Toolkit to Breach Air-Gapped Networks

Exploitable Vulnerabilities Present in 87% of Organizations

‘Project Compass’ Cracks Down on ‘The Com’: 30 Members of Notorious Cybercrime Gang Arrested

Huge “Shadow Layer” of Organizations Hit by Supply Chain Attacks

How To Enhance Security Operations with AI-Powered Defenses

Why Your Organisation Needs Trusted Time Synchronisation

Revisiting CIA: Developing Your Security Strategy in the SaaS Shared Reality

Risk-Based IT Compliance: The Case for Business-Driven Cyber Risk Quantification

Securing M365 Data and Identity Systems Against Modern Adversaries

Geopolitics: How to be a Cybersecurity Leader in an Unstable World

The Intelligence Edge: Clarity, Context and the Human Advantage in Modern CTI

Future-Proofing Critical Infrastructure: National Gas CTO Darren Curley on IT/OT Security Integration

Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw

Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls

Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats

Psychology, AI and the Modern Security Program: A CISO’s Guide to Human Centric Defence

Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor

Written by

Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater

You may also like

What’s Hot on Infosecurity Magazine?