www.cybercom.mil
Open in
urlscan Pro
2a02:26f0:12d::b819:ef70
Public Scan
URL:
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
Submission: On February 15 via api from US — Scanned from DE
Submission: On February 15 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST /Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
<form method="post" action="/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" id="Form" enctype="multipart/form-data">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="">
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="STwuu4QYv6v0NO/+L/fADJTjRE0ondwNA7W81bqnNOOd3/VwCtYddjYyJUz3hM57RLfpYZdHgi1LoB7BDl37xOeY5CHfl3qsyvW/dcJz0fivZDSAbG7C2T4jrv8J5WPgp6IPMm5VfiHJqEzMLqEy0I7+vJQZoiVbiqbzeNOz0+L2QxJ7f3ERYh2QFKwTUvFcz4PUPQXnr/47KOhse2zjAsU84/JcR8xItrjIkp2nuOpV0tAu6u6tqdGcZvpueuXToRue4d2NotmRgrFIdnBIPdvc1Vb+Hgl4/PDOzuTpLMxNP/6LAQRsBfmHOJsM7opkJn5bRqFvMeF3UHpPo48gj/zSsy1dhTm+n5OMn8GP+XIkxiC7hIm8GLGy0JHXhdXefqNzp8h1nwNwlWaoeCtraMPbycQ/QfaSOL1U9kseRzQbCB5HmOIdCFX4HfYM4K+CcVLn98ESqEXAavPVPC798Io45MzyrZxVd2Gw1WQ76BjKylpqvUctEgc5Yh1Z8ly1R7MDiO2uKJGZuH0lM6K2qoN/yJ53s5WEMhCfPfYxTdW0bs4lWHOiU1RdUJ52/5wLSNSf/nwisKRCqTqy/WIwm/2Towq4EInE/xHyeEh5h2s42cKb5LnczUK9MMdw/q+hXWee3ArliF9Pb0HUQBx4TPBlbI9d+1x4o07c4CXz0FDRpBvbJYFcXr23tIeXAAw8rxwUw+dyIkvtERDAPus9Ks3RvQg2xIn6Y+fa/zTeYFGak+cfylmPQYKhvsahfcVH3Mp0LGDBzJ0JdXb3b1/nZ8EgfFGKYK7/kOdesoptQqlXZI8tuxUu2yfh3XAk6BUOfwtoLYcA6U2xuwZYMvzy8kxVBAvbw+V2PzGGkWxaypzG2wB1MjoTsWExuN8AL2X8FG/bRPls1EgJ9vGy9PHeNbdgUUt0dgWRkaHQ9nYsxHlxmCCNTndCefZ7Bg9gSAL/H1oOOrqQnMv1lymQ">
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['Form'];
if (!theForm) {
theForm = document.Form;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script src="/WebResource.axd?d=pynGkmcFUV0JwCJq02pBM5hu37VK52ATsgnYFxg-XxWGX0LYJ3mbwraaWwM1&t=637729444233813844" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=NJmAwtEo3IrZZmhJbgLN7n1FwhuTJbajvmySO9QBr6i6zzzRyl6QF-8j0H4S-sD0hixqDz0d-Vujdi3MvDRr6hXBsdDKcKa7NksbEQY7g6k3ZSEstlgnEP2q9p_Nl5yEr2VDGw2&t=ffffffff8333b97c" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=dwY9oWetJoIvUjxxH4p9bCJMmUDv-qgwxoAeD0W0JDFhvrbEUP41TpnqX4tfMCTuBVtMAY5BK7CMtCDqlACCH4GKtxFEd7YXvMw-KQEYwFXFhcauGEnIF2TD_CxRkDQLLPMbFuQe5XPVhKch0&t=ffffffff8333b97c" type="text/javascript"></script>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334">
<input type="hidden" name="__VIEWSTATEENCRYPTED" id="__VIEWSTATEENCRYPTED" value="">
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="Kkvlz/rxrLZhAb4AnPmQKKh8MH5BLPE+kwN9P54d6QmJgkQJYlYxcrUZpT/CGwKGa6DukanOzuAN6KErA8CS+Hf7PSn/xzxKjSmlBvBoMiBfJcD9">
</div>
<script src="/Desktopmodules/SharedLibrary/Plugins/MediaElement4.2.9/mediaelement-and-player.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Slick/1.9.0/slick.min.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.modalpopup.js?cdv=3506" type="text/javascript"></script>
<script src="/Resources/Shared/Scripts/jquery/jquery.hoverIntent.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Portals/_default/skins/joint2/resources/js/skin.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnncore.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Mobile-Detect/mobile-detect.min.js?cdv=3506" type="text/javascript"></script>
<script src="/DesktopModules/ArticleCS/Resources/ArticleCS/js/ArticleCS.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/ColorBox/jquery.colorbox.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/carouFredSel/jquery.carouFredSel-6.2.1.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/DVIDSAnalytics/DVIDSVideoAnalytics.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/DVIDSAnalytics/analyticsParamsForDVIDSAnalyticsAPI.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/TouchSwipe/jquery.touchSwipe.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/slimbox/slimbox2.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/BodyScrollLock/bodyScrollLock.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.servicesframework.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Skin/js/common.js?cdv=3506" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ScriptManager', 'Form', ['tdnn$ctr4502$Article$desktopmodules_articlecs_article_ascx$UpdatePanel1', 'dnn_ctr4502_Article_desktopmodules_articlecs_article_ascx_UpdatePanel1'], [], [], 90, '');
//]]>
</script>
<!--CDF(Javascript|/Portals/_default/skins/joint2/resources/js/skin.js?cdv=3506|DnnBodyProvider|100)-->
<!--CDF(Css|/Portals/_default/skins/joint2/resources/css/full-width.css?cdv=3506|DnnPageHeaderProvider|100)-->
<script type="text/javascript">
$('#personaBar-iframe').load(function() {
$('#personaBar-iframe').contents().find("head").append($("<style type='text/css'>.personabar .personabarLogo {}</style>"));
});
</script>
<script type="text/javascript">
jQuery(document).ready(function() {
initializeSkin();
});
</script>
<script type="text/javascript">
var skinvars = {
"SiteName": "U.S. Cyber Command",
"SiteShortName": "USCYBERCOM",
"SiteSubTitle": "",
"aid": "us_cybercom",
"IsSecureConnection": false,
"IsBackEnd": false,
"IsAuthenticated": false,
"SearchDomain": "search.usa.gov",
"SiteUrl": "http://www.cybercom.mil/",
"LastLogin": null,
"IsLastLoginFail": false,
"IncludePiwik": true,
"PiwikSiteID": 9,
"SocialLinks": {
"Facebook": {
"Url": "https://www.facebook.com/USCYBERCOM-132348950136836/",
"Window": "_blank",
"Relationship": "noopener"
},
"Twitter": {
"Url": "",
"Window": "",
"Relationship": ""
},
"YouTube": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Flickr": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Pintrest": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Instagram": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Blog": {
"Url": "",
"Window": "",
"Relationship": ""
},
"RSS": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Podcast": {
"Url": "",
"Window": "_blank",
"Relationship": "noopener"
},
"Email": {
"Url": "",
"Window": "",
"Relationship": ""
},
"LinkedIn": {
"Url": "",
"Window": "_blank",
"Relationship": "noopener"
},
"Snapchat": {
"Url": "",
"Window": "",
"Relationship": null
}
},
"SiteLinks": null,
"LogoffTimeout": 3300000,
"SiteAltLogoText": "U.S. Cyber Command"
};
</script>
<script type="application/ld+json">
{
"@context": "http://schema.org",
"@type": "Organization",
"logo": "http://www.cybercom.mil/Portals/56/Cyber_75.png?ver=a-PiVEZjALWVbQ95bFVSaw%3d%3d",
"name": "U.S. Cyber Command",
"url": "http://www.cybercom.mil/",
"sameAs": ["https://www.facebook.com/USCYBERCOM-132348950136836/"]
}
</script>
<style type="text/css"></style>
<div class="dma-full-width v2-template ">
<script>
$("body").css("background", "#000814");
</script>
<div id="skip-link-holder"><a id="skip-link" href="#skip-target">Skip to main content (Press Enter).</a></div>
<header id="header">
<div class="container-fluid nopad">
<div class="container-fluid skin-header skin-header-background">
<button type="button" class="navbar-toggle pull-left skin-nav-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="fa fa-bars"></span>
</button>
<div class="skin-logo">
<a href="http://www.cybercom.mil/" target="" rel="">
<img src="/Portals/56/Cyber_75.png?ver=a-PiVEZjALWVbQ95bFVSaw%3d%3d" alt="U.S. Cyber Command" title="U.S. Cyber Command" style="max-height: 100%" class="img-responsive">
</a>
</div>
<div class="skin-title">
<div class="hidden-xs">
<span class="title-text">U.S. Cyber Command</span>
</div>
<div class="visible-xs">
<span class="title-text">U.S. Cyber Command</span>
</div>
</div>
<div class="skin-header-right">
<div class="social hidden-xs">
<ul class="">
<li class="hidden-sm"><a href="uscybercom_pao@cybercom.mil" title="" target="_blank" rel="noopener"><span class="social-icon fa fa-Contact Us social-link-10"></span></a></li>
<li class="hidden-sm"><a href="uscybercom_pao@cybercom.mil" title="" target="_blank" rel="noopener"></a></li>
</ul>
<style>
header .skin-header-right li.hover .social-link-10 {
color: #cccccc
}
</style>
</div>
<div class="skin-search">
<div class="desktop-search hidden-xs">
<label for="desktopSearch" class="visuallyhidden">Search USCYBERCOM: </label>
<input type="text" name="desktopSearch" class="skin-search-input usagov-search-autocomplete ui-autocomplete-input" maxlength="255" aria-label="Search" title="Search USCYBERCOM" autocomplete="off">
<a class="skin-search-go" href="#" title="Search"><span class="fa fa-search fa-lg"></span>
<span class="sr-only">Search</span>
</a>
</div>
<div class="mobile-search visible-xs pull-right">
<a class="mobile-search-link" href="#" title="Search"><span class="search-icon fa closed fa-lg"></span>
<span class="sr-only">Search</span>
</a>
<div class="mobile-search-popup" style="display: none;">
<label for="mobileSearch" class="visuallyhidden">Search USCYBERCOM: </label>
<input type="text" name="mobileSearch" class="skin-search-input usagov-search-autocomplete ui-autocomplete-input" maxlength="255" aria-label="Search" title="Search USCYBERCOM" autocomplete="off">
<a class="skin-search-go" href="#" title="Search"><span class="fa fa-search fa-inverse fa-lg"></span>
<span class="sr-only">Search</span>
</a>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="navbar-collapse nav-main-collapse collapse otnav nopad">
<div class=" container-fluid nopad menu">
<nav class="nav-main">
<ul class="nav nav-main">
<li class=" top-level ">
<a href="http://www.cybercom.mil/" target="" tabindex="0">Home
</a>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">About<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/About/Mission-and-Vision/" target="" tabindex="0">Mission and Vision
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/About/History/" target="" tabindex="0">History
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Leadership/" target="" tabindex="0">Leadership
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Components/" target="" tabindex="0">Components
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/About/Inspector-General/" target="" tabindex="0">Inspector-General
</a>
</li>
</ul>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">FOIA/Privacy Act<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/About-the-Program/" target="" tabindex="0">About the Program
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Making-a-Freedom-of-Information-Act-FOIA-Request/" target="" tabindex="0">Making a Freedom of Information Act (FOIA) Request
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Making-a-Privacy-Act-PA-Request/" target="" tabindex="0">Making a Privacy Act (PA) Request
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Reading-Room/" target="" tabindex="0">Reading Room
</a>
</li>
</ul>
</li>
<li class="dropdown top-level parent">
<a href="javascript:void(0)" class="dropdown-toggle">Media<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class="active dm ">
<a href="http://www.cybercom.mil/Media/News/" target="" tabindex="0">News
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Media/Images/" target="" tabindex="0">Images
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Media/Videos/" target="" tabindex="0">Videos
</a>
</li>
</ul>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">Partnerships and Outreach<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Speaker-Request-Form/" target="" tabindex="0">Speaker Request Form
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Academic-Engagement/" target="" tabindex="0">Academic Engagement
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Technical-Outreach-Division/" target="" tabindex="0">Technical Outreach Division
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Cyber-Command-and-Small-Business/" target="" tabindex="0">Cyber Command and Small Business
</a>
</li>
</ul>
</li>
<li class=" top-level ">
<a href="http://www.cybercom.mil/Employment-Opportunities/" target="" tabindex="0">Employment Opportunities
</a>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">COVID-19<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/COVID-19/Highlighted-Updates/" target="" tabindex="0">Highlighted Updates
</a>
</li>
<li class=" dm ">
<a href="https://www.defense.gov/Explore/Spotlight/Coronavirus/" target="_blank" tabindex="0">DOD, Department of Defense
</a>
</li>
<li class=" dm ">
<a href="https://www.cdc.gov/coronavirus/2019-ncov/index.html" target="_blank" tabindex="0">CDC, Centers for Disease Control and Prevention
</a>
</li>
<li class=" dm ">
<a href="https://www.nih.gov/" target="_blank" tabindex="0">NIH, National Institutes of Health
</a>
</li>
<li class=" dm ">
<a href="https://walterreed.tricare.mil/" target="_blank" tabindex="0">Walter Reed National Military Medical Center
</a>
</li>
<li class=" dm ">
<a href="https://health.mil/Military-Health-Topics/Combat-Support/Public-Health/Coronavirus" target="_blank" tabindex="0">Health.mil
</a>
</li>
</ul>
</li>
<li class=" top-level ">
<a href="http://www.cybercom.mil/Contact-Us/" target="" tabindex="0">Contact Us
</a>
</li>
</ul>
</nav>
</div>
</div>
</header>
<p id="skip-target-holder"><a id="skip-target" name="skip-target" class="skip" tabindex="-1" innertext="Start of main content"></a></p>
<div id="content" class="skin-border" role="main">
<div class="top-wrapper skin-home-top-row">
<div class="container-fluid nopad">
<div class="flex-row flex-row-fw">
<div id="dnn_BannerPane" class="flex-row-col-md backend-cp-collapsible">
<div class="DnnModule DnnModule-ArticleCSDashboard DnnModule-24661"><a name="24661"></a>
<div class="containers-v2 boxed shadow shadow-rounded has-margin">
<span id="dnn_ctr24661_dnnTitle_titleLabel" class="container-title">RECENT NEWS</span>
<div id="dnn_ctr24661_ContentPane" class="container-content"><!-- Start_Module_24661 -->
<div id="dnn_ctr24661_ModuleContent" class="DNNModuleContent ModArticleCSDashboardC">
<div id="dnn_ctr24661_Dashboard_ph">
<section id="joint2-card-grid" class="joint2-card-grid">
<div class="joint2-card-grid-rows">
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2889614/cybercom-announces-academic-engagement-network-partners/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2022/Jan/14/2002922708/600/400/0/220114-D-WM477-0003.JPG)">
<span class="sr-only">U.S. Cyber Command Executive Director, David Frederick, hosts an informational Academic Engagement Strategy webinar Jan. 6 with more than 80 academic institutions as part of USCYBERCOM's Academic Engagement Network. In total 84 colleges and universities were selected to partner with the command and components. Partners consist of 70 universities, 14 community colleges, nine minority serving institutions, four military service academies, and four military war and staff colleges. (DoD photo by Aiyana Paschal)</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>CYBERCOM Announces Academic Engagement Network P...</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Jan. 05, 2022
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>U.S. Cyber Command (CYBERCOM) will officially announce its newest Academic Engagement Network (AEN) college...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2885401/2021-a-year-in-review/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2021/Aug/26/2002840321/600/400/0/210820-D-LA132-0415.JPG)">
<span class="sr-only">U.S. Army General Paul M. Nakasone, U.S. Cyber Command commander and National Security Agency director, presents opening remarks for the 10th annual Reserve Component Summit at Fort George G. Meade, Md., Aug. 20, 2021.</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>2021: A Year in Review</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Dec. 29, 2021
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>Here are some of U.S. Cyber Command’s (CYBERCOM) impactful moments of 2021: In the last year, the cyber...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2861207/dept-of-defenses-largest-multinational-cyber-exercise-yet-focuses-on-collective/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2021/Dec/02/2002902464/600/400/0/211118-N-KT462-3552.JPG)">
<span class="sr-only">Alongside international partners from 23 countries, U.S. cyber operators test their skills and ability to detect enemy presence, expel it, and identify solutions to harden simulated networks during U.S. Cyber Command's CYBER FLAG 21-1 exercise.</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>Dept. of Defense’s largest multinational cyber e...</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Dec. 03, 2021
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>U.S. Cyber Command’s CYBER FLAG 21-1 exercise, the largest multinational cyber exercise to date, bolstered the...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
</div>
<style>
@media only screen and (min-width: 300px) {
.joint2-card {
width: calc(100% - 16px);
}
}
@media only screen and (min-width: 512px) {
.joint2-card {
width: calc(50% - 16px);
}
}
@media only screen and (min-width: 992px) {
.joint2-card {
width: calc(50% - 32px);
}
}
@media only screen and (min-width: 768px) {
.joint2-card {
width: calc(33.33334% - 16px);
}
}
@media only screen and (min-width: 992px) {
.joint2-card {
width: calc(33.33334% - 32px);
}
}
</style>
</section>
</div>
</div><!-- End_Module_24661 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="border-wrapper">
<div class="container-fluid nopad container-fluid-max">
<div class="flex-row flex-row-fw">
<div id="dnn_SubBannerPane" class="flex-row-col-md backend-cp-collapsible">
<div class="DnnModule DnnModule-ArticleCS DnnModule-4502"><a name="4502"></a>
<div class="containers-v2 boxed shadow shadow-rounded has-margin">
<span id="dnn_ctr4502_dnnTitle_titleLabel" class="container-title">MORE NEWS</span>
<div id="dnn_ctr4502_ContentPane" class="container-content"><!-- Start_Module_4502 -->
<div id="dnn_ctr4502_ModuleContent" class="DNNModuleContent ModArticleCSC">
<div id="dnn_ctr4502_Article_desktopmodules_articlecs_article_ascx_UpdatePanel1" class="article-view">
<div class="adetail news" itemscope="" itemtype="http://schema.org/NewsArticle">
<meta itemprop="datePublished" content="Jan. 12, 2022">
<div id="news-content" class="article-body">
<div class="header">
<div class="category-date">
<b>NEWS</b> | Jan. 12, 2022
</div>
<h1 class="title" itemprop="headline">Iranian intel cyber suite of malware uses open source tools</h1>
<p class="info">
<span class="line">Cyber National Mission Force Public Affairs</span>
</p>
</div>
<div class="body" itemprop="articleBody">
<span class="dateline-text"> FORT MEADE, Md. – </span>
<p>To better enable defense against malicious cyber actors, U.S. Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open-source tools that Iranian intelligence actors are using in networks
around the world.</p>
<p>These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks.</p>
<p>MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. </p>
<p>MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the
<u><a href="https://crsreports.congress.gov/product/pdf/RL/RL32048"><span style="color:#0033ff;">Congressional Research Service</span></a></u>, the MOIS “conducts domestic surveillance to identify regime opponents. It
also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies."</p>
<p>Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors.</p>
<p>Below are some technical aspects of how the threat actor could be leveraging malware in networks.</p>
<p>These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. New samples showing the different parts of
this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure.</p>
<p>www.Virustotal.com/en/user/CYBERCOM_Malware_Alert</p>
<ul>
<li><strong>Previous PowGoop Sample</strong>: <ul style="list-style-type:circle;">
<li>These three samples are all part of the same PowGoop instance. They were identified in a folder with several other legitimate executables and DLLs. Goopdate.dll uses DLL side-loading to run when a the
non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt. Config.txt is a PowerShell script that
establishes network communication with the PowGoop C2 server. It uses a modified base64 encoding mechanism to send data to and from the C2 server. The IP of the C2 server is often hardcoded in config.txt</li>
<li>Goopdate.dll hides comms with malicious cyber actors’ C2 servers by executing with Google Update service. </li>
</ul>
</li>
<li><strong>Additional PowGoop DLL Side-Loading variants:</strong>
<ul style="list-style-type:circle;">
<li>Uses same technique to de-obfuscate .dat file, which is a PowerShell script to decode another PowerShell script with .txt file extension</li>
<li><strong>This</strong> open source code has been used for espionage & ransomware-- libpcre2-8-0.dll & vcruntime140.dll (PowGoop variant) leverage different naming conventions to avoid antivirus &
manual detection. </li>
</ul>
</li>
<li><strong>Additional PowGoop Loader variants:</strong>
<ul style="list-style-type:circle;">
<li>Any instances of these files may indicate an attacker in the network: Open-source cyber research found PowGoop Loader variants in compromised networks, de-obfuscating a PowerShell script that allows an attacker
command and control functions.</li>
<li>De-obfuscates .txt file, which is another PowerShell script and main C2 functionality</li>
</ul>
</li>
<li><strong>Additional PowGoop C2 Beacon variants: </strong>
<ul style="list-style-type:circle;">
<li>These malware reach out from victim networks & contact malicious infrastructure. If you see these files, MCAs are likely seeing their beacon too. </li>
<li>Each sample reaches out from the victim network and contacts malicious infrastructure. If you see these files on the network, chances are they are seeing their beacon as well. </li>
</ul>
</li>
<li><strong>JavaScript samples:</strong>
<ul style="list-style-type:circle;">
<li>The samples issue a GET request to malicious servers. The JavaScripts are associated with groups also employing PowGoop. </li>
</ul>
</li>
<li><strong>Mori Backdoor sample:</strong>
<ul style="list-style-type:circle;">
<li>This sample is an indicator that a network has been compromised – this is the Mori Backdoor and is employed by malicious cyber actors for espionage. This malware uses DNS tunneling to communicate to its
C2 infrastructure.</li>
<li>This sample is a likely Mori Backdoor. This sample utilizes regsvr32.dll to run. Key IOCs are the creation of the Mutex 0x50504060 and creation of the registry key HKLM\SOFTWARE\NFC</li>
</ul>
</li>
</ul>
</div>
<div class="share-bottom">
<div>
<a class="share-link addthis_button_more" target="_blank" title="More" href="#">
<i class="fa fa-share-alt fa-2x"></i>
<br>
SHARE
</a>
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=">
var addthis_config = {
data_use_flash: false,
data_use_cookies: false,
ui_508_compliant: true,
ui_click: true,
ui_disable: true
};
</script>
</div>
<div>
<a class="print-link" href="https://www.cybercom.mil/DesktopModules/ArticleCS/Print.aspx?PortalId=56&ModuleId=4502&Article=2897570" target="_blank" rel="noopener">
<i class="fa fa-print fa-2x"></i>
<br>
PRINT
</a>
</div>
</div>
<div class="related">
</div>
<div class="tags">
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/126440/cyber-national-mission-force/">cyber national mission force</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/214231/malicious-cyber-actor/">malicious cyber actor</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/58437/cyber-defense/">cyber defense</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/150976/defend-forward/">Defend Forward</a></div>
</div>
<div style="clear:both"></div>
<div id="fb-root" class=" fb_reset">
<div style="position: absolute; top: -10000px; width: 0px; height: 0px;">
<div></div>
</div>
</div>
<script>
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.5&appId=";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<div class="fb-comments fb_iframe_widget fb_iframe_widget_fluid_desktop" data-href="https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" data-width="100%"
data-numposts="5" fb-xfbml-state="rendered"
fb-iframe-plugin-query="app_id=&container_width=575&height=100&href=https%3A%2F%2Fwww.cybercom.mil%2FMedia%2FNews%2FArticle%2F2897570%2Firanian-intel-cyber-suite-of-malware-uses-open-source-tools%2F&locale=en_US&numposts=5&sdk=joey&version=v2.5&width="
style="width: 100%;"><span style="vertical-align: bottom; width: 100%; height: 364px;"><iframe name="f188869442eca08" width="1000px" height="100px" data-testid="fb:comments Facebook Social Plugin"
title="fb:comments Facebook Social Plugin" frameborder="0" allowtransparency="true" allowfullscreen="true" scrolling="no" allow="encrypted-media"
src="https://web.facebook.com/v2.5/plugins/comments.php?app_id=&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df2adfbd19583744%26domain%3Dwww.cybercom.mil%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.cybercom.mil%252Ff75736240842d8%26relation%3Dparent.parent&container_width=575&height=100&href=https%3A%2F%2Fwww.cybercom.mil%2FMedia%2FNews%2FArticle%2F2897570%2Firanian-intel-cyber-suite-of-malware-uses-open-source-tools%2F&locale=en_US&numposts=5&sdk=joey&version=v2.5&width="
style="border: none; visibility: visible; width: 100%; height: 364px;" class=""></iframe></span></div>
</div>
</div>
</div>
<script type="text/javascript">
var displayNextPrevNav = false
var loggedIn = false;
var articleId = 2897570;
var moduleId = 4502;
var mejPlayer;
jQuery(document).ready(function() {
mejPlayer = $(".article-view video").not(".noplayer").mediaelementplayer({
pluginPath: "/desktopmodules/SharedLibrary/Plugins/MediaElement4.2.9/",
videoWidth: '100%',
videoHeight: '100%',
success: function(mediaElement, domObject) {
var aDefaultOverlay = jQuery(mediaElement).parents('.media-inline-video, .video-control').find('.defaultVideoOverlay.a-video-button');
var aHoverOverlay = jQuery(mediaElement).parents('.media-inline-video, .video-control').find('.hoverVideoOverlay.a-video-button');
var playing = false;
$("#" + mediaElement.id).parents('.media-inline-video, .video-control').find('.mejs__controls').hide();
if (typeof GalleryResize === "function") GalleryResize();
mediaElement.addEventListener('play', function(e) {
playing = true;
jQuery(".gallery").trigger("pause", false, false);
$("#" + e.detail.target.id).parents('.media-inline-video, .video-control').find('.mejs__controls').show();
$("#" + e.detail.target.id).parents('.media-inline-video, .video-control').find('.duration').hide();
if (aDefaultOverlay.length) {
aDefaultOverlay.hide();
aHoverOverlay.hide();
}
//place play trigger for DVIDS Analytics
}, false);
mediaElement.addEventListener('pause', function(e) {
playing = false;
if (aDefaultOverlay.length) {
aDefaultOverlay.removeAttr("style");
aHoverOverlay.removeAttr("style");
}
}, false);
mediaElement.addEventListener('ended', function(e) {
playing = false;
}, false);
if (aDefaultOverlay.length) {
aDefaultOverlay.click(function() {
if (!playing) {
mediaElement.play();
playing = true;
}
});
aHoverOverlay.click(function() {
if (!playing) {
mediaElement.play();
playing = true;
}
});
}
},
features: ["playpause", "progress", "current", "duration", "tracks", "volume", "fullscreen"]
});
if (displayNextPrevNav) {
DisplayNextPreviousNav(moduleId, articleId, loggedIn);
}
});
$(window).load(function() {
if (displayNextPrevNav) {
var winWidth = $(document).width();
if (winWidth > 1024) {
$('#footerExtender').css('height', '0px');
$('.article-navbtn .headline').addClass('contentPubDate');
} else {
$('#footerExtender').css('height', $('.article-navbtn .headline').html().length > 0 ? $('.bottomNavContainer').height() + 'px' : '0px');
$('.article-navbtn .headline').removeClass('contentPubDate');
}
}
});
$(window).resize(function() {
if (displayNextPrevNav) {
var winWidth = $(document).width();
if (winWidth < 1024) {
$('#footerExtender').css('height', $('.article-navbtn .headline').html().length > 0 ? $('.bottomNavContainer').height() + 'px' : '0px');
$('.article-navbtn .headline').removeClass('contentPubDate');
} else {
$('#footerExtender').css('height', '0px');
$('.article-navbtn .headline').addClass('contentPubDate');
}
}
});
</script>
</div><!-- End_Module_4502 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
</div>
<div class="flex-row flex-row-fw">
<div class="flex-row-col-md backend-cp-collapsible flex-row-main">
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
</div>
</div>
</div>
</div>
<div class="container-fluid nopad">
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
</div>
</div>
<footer class="footer">
<div class="skin-footer-divider"></div>
<div class="skin-footer-background container-fluid">
<div class="skin-footer-seal"></div>
<div class="container-fluid nopad">
<div class="skin-footer-content flex-row flex-row-fw">
<div id="dnn_FooterLinks" class="flex-row-col-md-6 flex-row-col-md-4 backend-cp-fixed-always skin-footer-links">
<div class="DnnModule DnnModule-LiveHTML DnnModule-24677"><a name="24677"></a>
<div class="empty-container-no-pad">
<div id="dnn_ctr24677_ContentPane"><!-- Start_Module_24677 -->
<div id="dnn_ctr24677_ModuleContent" class="DNNModuleContent ModLiveHTMLC">
<div id="LiveHTMLWrapper24677" class="livehtml">
<div style="width: 33.3%; float: left;"> </div>
<div style="width: 33.3%; float: left;"><a href="https://www.cybercom.mil/About/Inspector-General/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Inspector General</span></a><br>
<a href="https://www.defense.gov/Resources/External-Link-Disclaimer" target="_blank"><span style="font-size: 12px; color: #ffffff;">Link Disclaimer</span></a><br>
<a href="http://recovery.defense.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Recovery Act</span></a><br>
<a href="http://open.defense.gov/Transparency/FOIA.aspx" target="_blank"><span style="font-size: 12px; color: #ffffff;">FOIA</span></a><br>
<a href="https://dod.usajobs.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">USA.gov</span></a><br>
<a href="http://prhome.defense.gov/NoFear/" target="_blank"><span style="font-size: 12px; color: #ffffff;">No FEAR Act</span></a>
</div>
<div style="width: 33.3%; float: left;"><a href="http://www.todaysmilitary.com/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Join the Military</span></a><br>
<a href="https://dod.usajobs.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">DoD Careers</span></a><br>
<a href="https://www.defense.gov/Resources/Privacy" target="_blank"><span style="font-size: 12px; color: #ffffff;">Privacy & Security</span></a><br>
<a href="http://dodcio.defense.gov/DoD-Web-Policy/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Web Policy</span></a><br>
<a href="http://dodcio.defense.gov/DoDSection508/Std_Stmt.aspx" target="_blank"><span style="font-size: 12px; color: #ffffff;">Accessibility/Section 508</span></a><br>
<a href="/Site-Index/"><span style="font-size: 12px; color: #ffffff;">Site Map</span></a>
</div>
</div>
</div><!-- End_Module_24677 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
<div class="col-md-6 col-sm-12">
<div class="skin-social-header">Staying Connected</div>
<div class="skin-social-links">
<ul class="">
<li class="">
<a href="https://www.dvidshub.net/unit/USCC" title="U.S. Cyber Command DVIDS Page" target="_blank" rel="noopener"><img title="U.S. Cyber Command DVIDS Page" src="/Portals/56/satellite%20logo36x36.png?ver=C4jv72b7pCXYpAL50u1aDg%3d%3d" alt="U.S. Cyber Command DVIDS Page"><span class="text text-link-16">DVIDS</span></a>
</li>
<li class="">
<a href="https://twitter.com/US_CYBERCOM" title="Official U.S. Cyber Command Twitter account" target="_blank" rel="noopener"><span class="social-icon fa fa-twitter social-link-84"></span><span class="text text-link-84">@US_ CYBERCOM</span></a>
</li>
<li class="">
<a href="https://twitter.com/CNMF_CyberAlert" title="Official Cyber National Mission Force Twitter account" target="_blank" rel="noopener"><span class="social-icon fa fa-twitter social-link-203"></span><span class="text text-link-203">@CNMF_CyberAlert</span></a>
</li>
</ul>
<style>
footer .skin-social-links li.hover .social-link-84 {
color: #e69138
}
footer .skin-social-links li .social-link-84 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-84 {
color: #e69138
}
footer .skin-social-links li .social-link-84 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-203 {
color: #ff9900
}
footer .skin-social-links li .social-link-203 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-203 {
color: #ff9900
}
footer .skin-social-links li .social-link-203 {
color: #ffffff
}
</style>
</div>
</div>
</div>
</div>
</div>
<div class="skin-footer-bottom"></div>
</footer>
</div>
<input name="ScrollTop" type="hidden" id="ScrollTop">
<input name="__dnnVariable" type="hidden" id="__dnnVariable" autocomplete="off" value="`{`__scdoff`:`1`,`sf_siteRoot`:`/`,`sf_tabId`:`2126`}">
<script src="/Desktopmodules/SharedLibrary/Plugins/Bootstrap/js/bootstrap.min.js?cdv=3506" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
try {
window.addthis.ost = 0;
window.addthis.ready();
} catch (e) {}
toggleClick = function(ModuleId) {
var wrapper = jQuery('#LiveHTMLWrapper' + ModuleId);
if (wrapper.find('#ReviewComment').is(":hidden")) {
wrapper.find('#ReviewComment').slideDown('slow');
wrapper.find('#toggle').addClass('close');
} else {
wrapper.find('#ReviewComment').slideUp('slow');
wrapper.find('#toggle').removeClass('close');
}
}; //]]>
</script>
</form>
Text Content
Skip to main content (Press Enter). Toggle navigation U.S. Cyber Command U.S. Cyber Command * * Search USCYBERCOM: Search Search Search USCYBERCOM: Search * Home * About * Mission and Vision * History * Leadership * Components * Inspector-General * FOIA/Privacy Act * About the Program * Making a Freedom of Information Act (FOIA) Request * Making a Privacy Act (PA) Request * Reading Room * Media * News * Images * Videos * Partnerships and Outreach * Speaker Request Form * Academic Engagement * Technical Outreach Division * Cyber Command and Small Business * Employment Opportunities * COVID-19 * Highlighted Updates * DOD, Department of Defense * CDC, Centers for Disease Control and Prevention * NIH, National Institutes of Health * Walter Reed National Military Medical Center * Health.mil * Contact Us RECENT NEWS U.S. Cyber Command Executive Director, David Frederick, hosts an informational Academic Engagement Strategy webinar Jan. 6 with more than 80 academic institutions as part of USCYBERCOM's Academic Engagement Network. In total 84 colleges and universities were selected to partner with the command and components. Partners consist of 70 universities, 14 community colleges, nine minority serving institutions, four military service academies, and four military war and staff colleges. (DoD photo by Aiyana Paschal) CYBERCOM ANNOUNCES ACADEMIC ENGAGEMENT NETWORK P... News Jan. 05, 2022 -------------------------------------------------------------------------------- U.S. Cyber Command (CYBERCOM) will officially announce its newest Academic Engagement Network (AEN) college... Read More U.S. Army General Paul M. Nakasone, U.S. Cyber Command commander and National Security Agency director, presents opening remarks for the 10th annual Reserve Component Summit at Fort George G. Meade, Md., Aug. 20, 2021. 2021: A YEAR IN REVIEW News Dec. 29, 2021 -------------------------------------------------------------------------------- Here are some of U.S. Cyber Command’s (CYBERCOM) impactful moments of 2021: In the last year, the cyber... Read More Alongside international partners from 23 countries, U.S. cyber operators test their skills and ability to detect enemy presence, expel it, and identify solutions to harden simulated networks during U.S. Cyber Command's CYBER FLAG 21-1 exercise. DEPT. OF DEFENSE’S LARGEST MULTINATIONAL CYBER E... News Dec. 03, 2021 -------------------------------------------------------------------------------- U.S. Cyber Command’s CYBER FLAG 21-1 exercise, the largest multinational cyber exercise to date, bolstered the... Read More MORE NEWS NEWS | Jan. 12, 2022 IRANIAN INTEL CYBER SUITE OF MALWARE USES OPEN SOURCE TOOLS Cyber National Mission Force Public Affairs FORT MEADE, Md. – To better enable defense against malicious cyber actors, U.S. Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open-source tools that Iranian intelligence actors are using in networks around the world. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies." Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors. Below are some technical aspects of how the threat actor could be leveraging malware in networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. New samples showing the different parts of this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure. www.Virustotal.com/en/user/CYBERCOM_Malware_Alert * Previous PowGoop Sample: * These three samples are all part of the same PowGoop instance. They were identified in a folder with several other legitimate executables and DLLs. Goopdate.dll uses DLL side-loading to run when a the non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt. Config.txt is a PowerShell script that establishes network communication with the PowGoop C2 server. It uses a modified base64 encoding mechanism to send data to and from the C2 server. The IP of the C2 server is often hardcoded in config.txt * Goopdate.dll hides comms with malicious cyber actors’ C2 servers by executing with Google Update service. * Additional PowGoop DLL Side-Loading variants: * Uses same technique to de-obfuscate .dat file, which is a PowerShell script to decode another PowerShell script with .txt file extension * This open source code has been used for espionage & ransomware-- libpcre2-8-0.dll & vcruntime140.dll (PowGoop variant) leverage different naming conventions to avoid antivirus & manual detection. * Additional PowGoop Loader variants: * Any instances of these files may indicate an attacker in the network: Open-source cyber research found PowGoop Loader variants in compromised networks, de-obfuscating a PowerShell script that allows an attacker command and control functions. * De-obfuscates .txt file, which is another PowerShell script and main C2 functionality * Additional PowGoop C2 Beacon variants: * These malware reach out from victim networks & contact malicious infrastructure. If you see these files, MCAs are likely seeing their beacon too. * Each sample reaches out from the victim network and contacts malicious infrastructure. If you see these files on the network, chances are they are seeing their beacon as well. * JavaScript samples: * The samples issue a GET request to malicious servers. The JavaScripts are associated with groups also employing PowGoop. * Mori Backdoor sample: * This sample is an indicator that a network has been compromised – this is the Mori Backdoor and is employed by malicious cyber actors for espionage. This malware uses DNS tunneling to communicate to its C2 infrastructure. * This sample is a likely Mori Backdoor. This sample utilizes regsvr32.dll to run. Key IOCs are the creation of the Mutex 0x50504060 and creation of the registry key HKLM\SOFTWARE\NFC SHARE PRINT cyber national mission force malicious cyber actor cyber defense Defend Forward Inspector General Link Disclaimer Recovery Act FOIA USA.gov No FEAR Act Join the Military DoD Careers Privacy & Security Web Policy Accessibility/Section 508 Site Map Staying Connected * DVIDS * @US_ CYBERCOM * @CNMF_CyberAlert PreviousNextSlideshow