www.cybercom.mil
Open in
urlscan Pro
2a02:26f0:12d::b819:ef70
Public Scan
URL:
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
Submission: On February 15 via api from US — Scanned from DE
Submission: On February 15 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
<form method="post" action="/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" id="Form" enctype="multipart/form-data">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="">
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="STwuu4QYv6v0NO/+L/fADJTjRE0ondwNA7W81bqnNOOd3/VwCtYddjYyJUz3hM57RLfpYZdHgi1LoB7BDl37xOeY5CHfl3qsyvW/dcJz0fivZDSAbG7C2T4jrv8J5WPgp6IPMm5VfiHJqEzMLqEy0I7+vJQZoiVbiqbzeNOz0+L2QxJ7f3ERYh2QFKwTUvFcz4PUPQXnr/47KOhse2zjAsU84/JcR8xItrjIkp2nuOpV0tAu6u6tqdGcZvpueuXToRue4d2NotmRgrFIdnBIPdvc1Vb+Hgl4/PDOzuTpLMxNP/6LAQRsBfmHOJsM7opkJn5bRqFvMeF3UHpPo48gj/zSsy1dhTm+n5OMn8GP+XIkxiC7hIm8GLGy0JHXhdXefqNzp8h1nwNwlWaoeCtraMPbycQ/QfaSOL1U9kseRzQbCB5HmOIdCFX4HfYM4K+CcVLn98ESqEXAavPVPC798Io45MzyrZxVd2Gw1WQ76BjKylpqvUctEgc5Yh1Z8ly1R7MDiO2uKJGZuH0lM6K2qoN/yJ53s5WEMhCfPfYxTdW0bs4lWHOiU1RdUJ52/5wLSNSf/nwisKRCqTqy/WIwm/2Towq4EInE/xHyeEh5h2s42cKb5LnczUK9MMdw/q+hXWee3ArliF9Pb0HUQBx4TPBlbI9d+1x4o07c4CXz0FDRpBvbJYFcXr23tIeXAAw8rxwUw+dyIkvtERDAPus9Ks3RvQg2xIn6Y+fa/zTeYFGak+cfylmPQYKhvsahfcVH3Mp0LGDBzJ0JdXb3b1/nZ8EgfFGKYK7/kOdesoptQqlXZI8tuxUu2yfh3XAk6BUOfwtoLYcA6U2xuwZYMvzy8kxVBAvbw+V2PzGGkWxaypzG2wB1MjoTsWExuN8AL2X8FG/bRPls1EgJ9vGy9PHeNbdgUUt0dgWRkaHQ9nYsxHlxmCCNTndCefZ7Bg9gSAL/H1oOOrqQnMv1lymQ">
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['Form'];
if (!theForm) {
theForm = document.Form;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script src="/WebResource.axd?d=pynGkmcFUV0JwCJq02pBM5hu37VK52ATsgnYFxg-XxWGX0LYJ3mbwraaWwM1&t=637729444233813844" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=NJmAwtEo3IrZZmhJbgLN7n1FwhuTJbajvmySO9QBr6i6zzzRyl6QF-8j0H4S-sD0hixqDz0d-Vujdi3MvDRr6hXBsdDKcKa7NksbEQY7g6k3ZSEstlgnEP2q9p_Nl5yEr2VDGw2&t=ffffffff8333b97c" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=dwY9oWetJoIvUjxxH4p9bCJMmUDv-qgwxoAeD0W0JDFhvrbEUP41TpnqX4tfMCTuBVtMAY5BK7CMtCDqlACCH4GKtxFEd7YXvMw-KQEYwFXFhcauGEnIF2TD_CxRkDQLLPMbFuQe5XPVhKch0&t=ffffffff8333b97c" type="text/javascript"></script>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334">
<input type="hidden" name="__VIEWSTATEENCRYPTED" id="__VIEWSTATEENCRYPTED" value="">
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="Kkvlz/rxrLZhAb4AnPmQKKh8MH5BLPE+kwN9P54d6QmJgkQJYlYxcrUZpT/CGwKGa6DukanOzuAN6KErA8CS+Hf7PSn/xzxKjSmlBvBoMiBfJcD9">
</div>
<script src="/Desktopmodules/SharedLibrary/Plugins/MediaElement4.2.9/mediaelement-and-player.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Slick/1.9.0/slick.min.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.modalpopup.js?cdv=3506" type="text/javascript"></script>
<script src="/Resources/Shared/Scripts/jquery/jquery.hoverIntent.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Portals/_default/skins/joint2/resources/js/skin.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnncore.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Mobile-Detect/mobile-detect.min.js?cdv=3506" type="text/javascript"></script>
<script src="/DesktopModules/ArticleCS/Resources/ArticleCS/js/ArticleCS.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/ColorBox/jquery.colorbox.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/carouFredSel/jquery.carouFredSel-6.2.1.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/DVIDSAnalytics/DVIDSVideoAnalytics.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/DVIDSAnalytics/analyticsParamsForDVIDSAnalyticsAPI.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/TouchSwipe/jquery.touchSwipe.min.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/slimbox/slimbox2.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/BodyScrollLock/bodyScrollLock.js?cdv=3506" type="text/javascript"></script>
<script src="/js/dnn.servicesframework.js?cdv=3506" type="text/javascript"></script>
<script src="/Desktopmodules/SharedLibrary/Plugins/Skin/js/common.js?cdv=3506" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ScriptManager', 'Form', ['tdnn$ctr4502$Article$desktopmodules_articlecs_article_ascx$UpdatePanel1', 'dnn_ctr4502_Article_desktopmodules_articlecs_article_ascx_UpdatePanel1'], [], [], 90, '');
//]]>
</script>
<!--CDF(Javascript|/Portals/_default/skins/joint2/resources/js/skin.js?cdv=3506|DnnBodyProvider|100)-->
<!--CDF(Css|/Portals/_default/skins/joint2/resources/css/full-width.css?cdv=3506|DnnPageHeaderProvider|100)-->
<script type="text/javascript">
$('#personaBar-iframe').load(function() {
$('#personaBar-iframe').contents().find("head").append($("<style type='text/css'>.personabar .personabarLogo {}</style>"));
});
</script>
<script type="text/javascript">
jQuery(document).ready(function() {
initializeSkin();
});
</script>
<script type="text/javascript">
var skinvars = {
"SiteName": "U.S. Cyber Command",
"SiteShortName": "USCYBERCOM",
"SiteSubTitle": "",
"aid": "us_cybercom",
"IsSecureConnection": false,
"IsBackEnd": false,
"IsAuthenticated": false,
"SearchDomain": "search.usa.gov",
"SiteUrl": "http://www.cybercom.mil/",
"LastLogin": null,
"IsLastLoginFail": false,
"IncludePiwik": true,
"PiwikSiteID": 9,
"SocialLinks": {
"Facebook": {
"Url": "https://www.facebook.com/USCYBERCOM-132348950136836/",
"Window": "_blank",
"Relationship": "noopener"
},
"Twitter": {
"Url": "",
"Window": "",
"Relationship": ""
},
"YouTube": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Flickr": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Pintrest": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Instagram": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Blog": {
"Url": "",
"Window": "",
"Relationship": ""
},
"RSS": {
"Url": "",
"Window": "",
"Relationship": ""
},
"Podcast": {
"Url": "",
"Window": "_blank",
"Relationship": "noopener"
},
"Email": {
"Url": "",
"Window": "",
"Relationship": ""
},
"LinkedIn": {
"Url": "",
"Window": "_blank",
"Relationship": "noopener"
},
"Snapchat": {
"Url": "",
"Window": "",
"Relationship": null
}
},
"SiteLinks": null,
"LogoffTimeout": 3300000,
"SiteAltLogoText": "U.S. Cyber Command"
};
</script>
<script type="application/ld+json">
{
"@context": "http://schema.org",
"@type": "Organization",
"logo": "http://www.cybercom.mil/Portals/56/Cyber_75.png?ver=a-PiVEZjALWVbQ95bFVSaw%3d%3d",
"name": "U.S. Cyber Command",
"url": "http://www.cybercom.mil/",
"sameAs": ["https://www.facebook.com/USCYBERCOM-132348950136836/"]
}
</script>
<style type="text/css"></style>
<div class="dma-full-width v2-template ">
<script>
$("body").css("background", "#000814");
</script>
<div id="skip-link-holder"><a id="skip-link" href="#skip-target">Skip to main content (Press Enter).</a></div>
<header id="header">
<div class="container-fluid nopad">
<div class="container-fluid skin-header skin-header-background">
<button type="button" class="navbar-toggle pull-left skin-nav-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="fa fa-bars"></span>
</button>
<div class="skin-logo">
<a href="http://www.cybercom.mil/" target="" rel="">
<img src="/Portals/56/Cyber_75.png?ver=a-PiVEZjALWVbQ95bFVSaw%3d%3d" alt="U.S. Cyber Command" title="U.S. Cyber Command" style="max-height: 100%" class="img-responsive">
</a>
</div>
<div class="skin-title">
<div class="hidden-xs">
<span class="title-text">U.S. Cyber Command</span>
</div>
<div class="visible-xs">
<span class="title-text">U.S. Cyber Command</span>
</div>
</div>
<div class="skin-header-right">
<div class="social hidden-xs">
<ul class="">
<li class="hidden-sm"><a href="uscybercom_pao@cybercom.mil" title="" target="_blank" rel="noopener"><span class="social-icon fa fa-Contact Us social-link-10"></span></a></li>
<li class="hidden-sm"><a href="uscybercom_pao@cybercom.mil" title="" target="_blank" rel="noopener"></a></li>
</ul>
<style>
header .skin-header-right li.hover .social-link-10 {
color: #cccccc
}
</style>
</div>
<div class="skin-search">
<div class="desktop-search hidden-xs">
<label for="desktopSearch" class="visuallyhidden">Search USCYBERCOM: </label>
<input type="text" name="desktopSearch" class="skin-search-input usagov-search-autocomplete ui-autocomplete-input" maxlength="255" aria-label="Search" title="Search USCYBERCOM" autocomplete="off">
<a class="skin-search-go" href="#" title="Search"><span class="fa fa-search fa-lg"></span>
<span class="sr-only">Search</span>
</a>
</div>
<div class="mobile-search visible-xs pull-right">
<a class="mobile-search-link" href="#" title="Search"><span class="search-icon fa closed fa-lg"></span>
<span class="sr-only">Search</span>
</a>
<div class="mobile-search-popup" style="display: none;">
<label for="mobileSearch" class="visuallyhidden">Search USCYBERCOM: </label>
<input type="text" name="mobileSearch" class="skin-search-input usagov-search-autocomplete ui-autocomplete-input" maxlength="255" aria-label="Search" title="Search USCYBERCOM" autocomplete="off">
<a class="skin-search-go" href="#" title="Search"><span class="fa fa-search fa-inverse fa-lg"></span>
<span class="sr-only">Search</span>
</a>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="navbar-collapse nav-main-collapse collapse otnav nopad">
<div class=" container-fluid nopad menu">
<nav class="nav-main">
<ul class="nav nav-main">
<li class=" top-level ">
<a href="http://www.cybercom.mil/" target="" tabindex="0">Home
</a>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">About<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/About/Mission-and-Vision/" target="" tabindex="0">Mission and Vision
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/About/History/" target="" tabindex="0">History
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Leadership/" target="" tabindex="0">Leadership
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Components/" target="" tabindex="0">Components
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/About/Inspector-General/" target="" tabindex="0">Inspector-General
</a>
</li>
</ul>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">FOIA/Privacy Act<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/About-the-Program/" target="" tabindex="0">About the Program
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Making-a-Freedom-of-Information-Act-FOIA-Request/" target="" tabindex="0">Making a Freedom of Information Act (FOIA) Request
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Making-a-Privacy-Act-PA-Request/" target="" tabindex="0">Making a Privacy Act (PA) Request
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/FOIA-Privacy-Act/Reading-Room/" target="" tabindex="0">Reading Room
</a>
</li>
</ul>
</li>
<li class="dropdown top-level parent">
<a href="javascript:void(0)" class="dropdown-toggle">Media<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class="active dm ">
<a href="http://www.cybercom.mil/Media/News/" target="" tabindex="0">News
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Media/Images/" target="" tabindex="0">Images
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Media/Videos/" target="" tabindex="0">Videos
</a>
</li>
</ul>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">Partnerships and Outreach<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Speaker-Request-Form/" target="" tabindex="0">Speaker Request Form
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Academic-Engagement/" target="" tabindex="0">Academic Engagement
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Technical-Outreach-Division/" target="" tabindex="0">Technical Outreach Division
</a>
</li>
<li class=" dm ">
<a href="http://www.cybercom.mil/Partnerships-and-Outreach/Cyber-Command-and-Small-Business/" target="" tabindex="0">Cyber Command and Small Business
</a>
</li>
</ul>
</li>
<li class=" top-level ">
<a href="http://www.cybercom.mil/Employment-Opportunities/" target="" tabindex="0">Employment Opportunities
</a>
</li>
<li class="dropdown top-level ">
<a href="javascript:void(0)" class="dropdown-toggle">COVID-19<span class="fa fa-lg fa-angle-down"></span>
</a>
<ul class="dropdown-menu">
<li class=" dm ">
<a href="http://www.cybercom.mil/COVID-19/Highlighted-Updates/" target="" tabindex="0">Highlighted Updates
</a>
</li>
<li class=" dm ">
<a href="https://www.defense.gov/Explore/Spotlight/Coronavirus/" target="_blank" tabindex="0">DOD, Department of Defense
</a>
</li>
<li class=" dm ">
<a href="https://www.cdc.gov/coronavirus/2019-ncov/index.html" target="_blank" tabindex="0">CDC, Centers for Disease Control and Prevention
</a>
</li>
<li class=" dm ">
<a href="https://www.nih.gov/" target="_blank" tabindex="0">NIH, National Institutes of Health
</a>
</li>
<li class=" dm ">
<a href="https://walterreed.tricare.mil/" target="_blank" tabindex="0">Walter Reed National Military Medical Center
</a>
</li>
<li class=" dm ">
<a href="https://health.mil/Military-Health-Topics/Combat-Support/Public-Health/Coronavirus" target="_blank" tabindex="0">Health.mil
</a>
</li>
</ul>
</li>
<li class=" top-level ">
<a href="http://www.cybercom.mil/Contact-Us/" target="" tabindex="0">Contact Us
</a>
</li>
</ul>
</nav>
</div>
</div>
</header>
<p id="skip-target-holder"><a id="skip-target" name="skip-target" class="skip" tabindex="-1" innertext="Start of main content"></a></p>
<div id="content" class="skin-border" role="main">
<div class="top-wrapper skin-home-top-row">
<div class="container-fluid nopad">
<div class="flex-row flex-row-fw">
<div id="dnn_BannerPane" class="flex-row-col-md backend-cp-collapsible">
<div class="DnnModule DnnModule-ArticleCSDashboard DnnModule-24661"><a name="24661"></a>
<div class="containers-v2 boxed shadow shadow-rounded has-margin">
<span id="dnn_ctr24661_dnnTitle_titleLabel" class="container-title">RECENT NEWS</span>
<div id="dnn_ctr24661_ContentPane" class="container-content"><!-- Start_Module_24661 -->
<div id="dnn_ctr24661_ModuleContent" class="DNNModuleContent ModArticleCSDashboardC">
<div id="dnn_ctr24661_Dashboard_ph">
<section id="joint2-card-grid" class="joint2-card-grid">
<div class="joint2-card-grid-rows">
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2889614/cybercom-announces-academic-engagement-network-partners/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2022/Jan/14/2002922708/600/400/0/220114-D-WM477-0003.JPG)">
<span class="sr-only">U.S. Cyber Command Executive Director, David Frederick, hosts an informational Academic Engagement Strategy webinar Jan. 6 with more than 80 academic institutions as part of USCYBERCOM's Academic Engagement Network. In total 84 colleges and universities were selected to partner with the command and components. Partners consist of 70 universities, 14 community colleges, nine minority serving institutions, four military service academies, and four military war and staff colleges. (DoD photo by Aiyana Paschal)</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>CYBERCOM Announces Academic Engagement Network P...</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Jan. 05, 2022
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>U.S. Cyber Command (CYBERCOM) will officially announce its newest Academic Engagement Network (AEN) college...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2885401/2021-a-year-in-review/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2021/Aug/26/2002840321/600/400/0/210820-D-LA132-0415.JPG)">
<span class="sr-only">U.S. Army General Paul M. Nakasone, U.S. Cyber Command commander and National Security Agency director, presents opening remarks for the 10th annual Reserve Component Summit at Fort George G. Meade, Md., Aug. 20, 2021.</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>2021: A Year in Review</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Dec. 29, 2021
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>Here are some of U.S. Cyber Command’s (CYBERCOM) impactful moments of 2021: In the last year, the cyber...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
<a class="joint2-card" href="https://www.cybercom.mil/Media/News/Article/2861207/dept-of-defenses-largest-multinational-cyber-exercise-yet-focuses-on-collective/">
<div class="joint2-card__image" style="background-image: url(https://media.defense.gov/2021/Dec/02/2002902464/600/400/0/211118-N-KT462-3552.JPG)">
<span class="sr-only">Alongside international partners from 23 countries, U.S. cyber operators test their skills and ability to detect enemy presence, expel it, and identify solutions to harden simulated networks during U.S. Cyber Command's CYBER FLAG 21-1 exercise.</span>
</div>
<div class="joint2-card__overlay"></div>
<div class="joint2-card__content">
<h3 class="joint2-card__title"><span>Dept. of Defense’s largest multinational cyber e...</span></h3>
<div class="joint2-object-eyebrow">
<div class="joint2-object-eyebrow-type">
News
</div>
<div class="joint2-object-eyebrow-date">
Dec. 03, 2021
</div>
</div>
<hr class="joint2-card__hr">
<div class="joint2-card__description">
<span>U.S. Cyber Command’s CYBER FLAG 21-1 exercise, the largest multinational cyber exercise to date, bolstered the...</span>
<div class="joint2-card__read-more">Read More</div>
</div>
</div>
</a>
</div>
<style>
@media only screen and (min-width: 300px) {
.joint2-card {
width: calc(100% - 16px);
}
}
@media only screen and (min-width: 512px) {
.joint2-card {
width: calc(50% - 16px);
}
}
@media only screen and (min-width: 992px) {
.joint2-card {
width: calc(50% - 32px);
}
}
@media only screen and (min-width: 768px) {
.joint2-card {
width: calc(33.33334% - 16px);
}
}
@media only screen and (min-width: 992px) {
.joint2-card {
width: calc(33.33334% - 32px);
}
}
</style>
</section>
</div>
</div><!-- End_Module_24661 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="border-wrapper">
<div class="container-fluid nopad container-fluid-max">
<div class="flex-row flex-row-fw">
<div id="dnn_SubBannerPane" class="flex-row-col-md backend-cp-collapsible">
<div class="DnnModule DnnModule-ArticleCS DnnModule-4502"><a name="4502"></a>
<div class="containers-v2 boxed shadow shadow-rounded has-margin">
<span id="dnn_ctr4502_dnnTitle_titleLabel" class="container-title">MORE NEWS</span>
<div id="dnn_ctr4502_ContentPane" class="container-content"><!-- Start_Module_4502 -->
<div id="dnn_ctr4502_ModuleContent" class="DNNModuleContent ModArticleCSC">
<div id="dnn_ctr4502_Article_desktopmodules_articlecs_article_ascx_UpdatePanel1" class="article-view">
<div class="adetail news" itemscope="" itemtype="http://schema.org/NewsArticle">
<meta itemprop="datePublished" content="Jan. 12, 2022">
<div id="news-content" class="article-body">
<div class="header">
<div class="category-date">
<b>NEWS</b> | Jan. 12, 2022
</div>
<h1 class="title" itemprop="headline">Iranian intel cyber suite of malware uses open source tools</h1>
<p class="info">
<span class="line">Cyber National Mission Force Public Affairs</span>
</p>
</div>
<div class="body" itemprop="articleBody">
<span class="dateline-text"> FORT MEADE, Md. – </span>
<p>To better enable defense against malicious cyber actors, U.S. Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open-source tools that Iranian intelligence actors are using in networks
around the world.</p>
<p>These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks.</p>
<p>MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. </p>
<p>MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the
<u><a href="https://crsreports.congress.gov/product/pdf/RL/RL32048"><span style="color:#0033ff;">Congressional Research Service</span></a></u>, the MOIS “conducts domestic surveillance to identify regime opponents. It
also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies."</p>
<p>Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors.</p>
<p>Below are some technical aspects of how the threat actor could be leveraging malware in networks.</p>
<p>These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. New samples showing the different parts of
this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure.</p>
<p>www.Virustotal.com/en/user/CYBERCOM_Malware_Alert</p>
<ul>
<li><strong>Previous PowGoop Sample</strong>: <ul style="list-style-type:circle;">
<li>These three samples are all part of the same PowGoop instance. They were identified in a folder with several other legitimate executables and DLLs. Goopdate.dll uses DLL side-loading to run when a the
non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt. Config.txt is a PowerShell script that
establishes network communication with the PowGoop C2 server. It uses a modified base64 encoding mechanism to send data to and from the C2 server. The IP of the C2 server is often hardcoded in config.txt</li>
<li>Goopdate.dll hides comms with malicious cyber actors’ C2 servers by executing with Google Update service. </li>
</ul>
</li>
<li><strong>Additional PowGoop DLL Side-Loading variants:</strong>
<ul style="list-style-type:circle;">
<li>Uses same technique to de-obfuscate .dat file, which is a PowerShell script to decode another PowerShell script with .txt file extension</li>
<li><strong>This</strong> open source code has been used for espionage & ransomware-- libpcre2-8-0.dll & vcruntime140.dll (PowGoop variant) leverage different naming conventions to avoid antivirus &
manual detection. </li>
</ul>
</li>
<li><strong>Additional PowGoop Loader variants:</strong>
<ul style="list-style-type:circle;">
<li>Any instances of these files may indicate an attacker in the network: Open-source cyber research found PowGoop Loader variants in compromised networks, de-obfuscating a PowerShell script that allows an attacker
command and control functions.</li>
<li>De-obfuscates .txt file, which is another PowerShell script and main C2 functionality</li>
</ul>
</li>
<li><strong>Additional PowGoop C2 Beacon variants: </strong>
<ul style="list-style-type:circle;">
<li>These malware reach out from victim networks & contact malicious infrastructure. If you see these files, MCAs are likely seeing their beacon too. </li>
<li>Each sample reaches out from the victim network and contacts malicious infrastructure. If you see these files on the network, chances are they are seeing their beacon as well. </li>
</ul>
</li>
<li><strong>JavaScript samples:</strong>
<ul style="list-style-type:circle;">
<li>The samples issue a GET request to malicious servers. The JavaScripts are associated with groups also employing PowGoop. </li>
</ul>
</li>
<li><strong>Mori Backdoor sample:</strong>
<ul style="list-style-type:circle;">
<li>This sample is an indicator that a network has been compromised – this is the Mori Backdoor and is employed by malicious cyber actors for espionage. This malware uses DNS tunneling to communicate to its
C2 infrastructure.</li>
<li>This sample is a likely Mori Backdoor. This sample utilizes regsvr32.dll to run. Key IOCs are the creation of the Mutex 0x50504060 and creation of the registry key HKLM\SOFTWARE\NFC</li>
</ul>
</li>
</ul>
</div>
<div class="share-bottom">
<div>
<a class="share-link addthis_button_more" target="_blank" title="More" href="#">
<i class="fa fa-share-alt fa-2x"></i>
<br>
SHARE
</a>
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=">
var addthis_config = {
data_use_flash: false,
data_use_cookies: false,
ui_508_compliant: true,
ui_click: true,
ui_disable: true
};
</script>
</div>
<div>
<a class="print-link" href="https://www.cybercom.mil/DesktopModules/ArticleCS/Print.aspx?PortalId=56&ModuleId=4502&Article=2897570" target="_blank" rel="noopener">
<i class="fa fa-print fa-2x"></i>
<br>
PRINT
</a>
</div>
</div>
<div class="related">
</div>
<div class="tags">
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/126440/cyber-national-mission-force/">cyber national mission force</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/214231/malicious-cyber-actor/">malicious cyber actor</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/58437/cyber-defense/">cyber defense</a></div>
<div class="tag"><span class="fa fa-tag fa-lg"></span> <a href="http://www.cybercom.mil/Media/News/Tag/150976/defend-forward/">Defend Forward</a></div>
</div>
<div style="clear:both"></div>
<div id="fb-root" class=" fb_reset">
<div style="position: absolute; top: -10000px; width: 0px; height: 0px;">
<div></div>
</div>
</div>
<script>
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s);
js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.5&appId=";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<div class="fb-comments fb_iframe_widget fb_iframe_widget_fluid_desktop" data-href="https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" data-width="100%"
data-numposts="5" fb-xfbml-state="rendered"
fb-iframe-plugin-query="app_id=&container_width=575&height=100&href=https%3A%2F%2Fwww.cybercom.mil%2FMedia%2FNews%2FArticle%2F2897570%2Firanian-intel-cyber-suite-of-malware-uses-open-source-tools%2F&locale=en_US&numposts=5&sdk=joey&version=v2.5&width="
style="width: 100%;"><span style="vertical-align: bottom; width: 100%; height: 364px;"><iframe name="f188869442eca08" width="1000px" height="100px" data-testid="fb:comments Facebook Social Plugin"
title="fb:comments Facebook Social Plugin" frameborder="0" allowtransparency="true" allowfullscreen="true" scrolling="no" allow="encrypted-media"
src="https://web.facebook.com/v2.5/plugins/comments.php?app_id=&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df2adfbd19583744%26domain%3Dwww.cybercom.mil%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.cybercom.mil%252Ff75736240842d8%26relation%3Dparent.parent&container_width=575&height=100&href=https%3A%2F%2Fwww.cybercom.mil%2FMedia%2FNews%2FArticle%2F2897570%2Firanian-intel-cyber-suite-of-malware-uses-open-source-tools%2F&locale=en_US&numposts=5&sdk=joey&version=v2.5&width="
style="border: none; visibility: visible; width: 100%; height: 364px;" class=""></iframe></span></div>
</div>
</div>
</div>
<script type="text/javascript">
var displayNextPrevNav = false
var loggedIn = false;
var articleId = 2897570;
var moduleId = 4502;
var mejPlayer;
jQuery(document).ready(function() {
mejPlayer = $(".article-view video").not(".noplayer").mediaelementplayer({
pluginPath: "/desktopmodules/SharedLibrary/Plugins/MediaElement4.2.9/",
videoWidth: '100%',
videoHeight: '100%',
success: function(mediaElement, domObject) {
var aDefaultOverlay = jQuery(mediaElement).parents('.media-inline-video, .video-control').find('.defaultVideoOverlay.a-video-button');
var aHoverOverlay = jQuery(mediaElement).parents('.media-inline-video, .video-control').find('.hoverVideoOverlay.a-video-button');
var playing = false;
$("#" + mediaElement.id).parents('.media-inline-video, .video-control').find('.mejs__controls').hide();
if (typeof GalleryResize === "function") GalleryResize();
mediaElement.addEventListener('play', function(e) {
playing = true;
jQuery(".gallery").trigger("pause", false, false);
$("#" + e.detail.target.id).parents('.media-inline-video, .video-control').find('.mejs__controls').show();
$("#" + e.detail.target.id).parents('.media-inline-video, .video-control').find('.duration').hide();
if (aDefaultOverlay.length) {
aDefaultOverlay.hide();
aHoverOverlay.hide();
}
//place play trigger for DVIDS Analytics
}, false);
mediaElement.addEventListener('pause', function(e) {
playing = false;
if (aDefaultOverlay.length) {
aDefaultOverlay.removeAttr("style");
aHoverOverlay.removeAttr("style");
}
}, false);
mediaElement.addEventListener('ended', function(e) {
playing = false;
}, false);
if (aDefaultOverlay.length) {
aDefaultOverlay.click(function() {
if (!playing) {
mediaElement.play();
playing = true;
}
});
aHoverOverlay.click(function() {
if (!playing) {
mediaElement.play();
playing = true;
}
});
}
},
features: ["playpause", "progress", "current", "duration", "tracks", "volume", "fullscreen"]
});
if (displayNextPrevNav) {
DisplayNextPreviousNav(moduleId, articleId, loggedIn);
}
});
$(window).load(function() {
if (displayNextPrevNav) {
var winWidth = $(document).width();
if (winWidth > 1024) {
$('#footerExtender').css('height', '0px');
$('.article-navbtn .headline').addClass('contentPubDate');
} else {
$('#footerExtender').css('height', $('.article-navbtn .headline').html().length > 0 ? $('.bottomNavContainer').height() + 'px' : '0px');
$('.article-navbtn .headline').removeClass('contentPubDate');
}
}
});
$(window).resize(function() {
if (displayNextPrevNav) {
var winWidth = $(document).width();
if (winWidth < 1024) {
$('#footerExtender').css('height', $('.article-navbtn .headline').html().length > 0 ? $('.bottomNavContainer').height() + 'px' : '0px');
$('.article-navbtn .headline').removeClass('contentPubDate');
} else {
$('#footerExtender').css('height', '0px');
$('.article-navbtn .headline').addClass('contentPubDate');
}
}
});
</script>
</div><!-- End_Module_4502 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
</div>
<div class="flex-row flex-row-fw">
<div class="flex-row-col-md backend-cp-collapsible flex-row-main">
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
</div>
</div>
</div>
</div>
<div class="container-fluid nopad">
<div class="flex-row flex-row-fw">
</div>
<div class="flex-row flex-row-fw">
</div>
</div>
</div>
<footer class="footer">
<div class="skin-footer-divider"></div>
<div class="skin-footer-background container-fluid">
<div class="skin-footer-seal"></div>
<div class="container-fluid nopad">
<div class="skin-footer-content flex-row flex-row-fw">
<div id="dnn_FooterLinks" class="flex-row-col-md-6 flex-row-col-md-4 backend-cp-fixed-always skin-footer-links">
<div class="DnnModule DnnModule-LiveHTML DnnModule-24677"><a name="24677"></a>
<div class="empty-container-no-pad">
<div id="dnn_ctr24677_ContentPane"><!-- Start_Module_24677 -->
<div id="dnn_ctr24677_ModuleContent" class="DNNModuleContent ModLiveHTMLC">
<div id="LiveHTMLWrapper24677" class="livehtml">
<div style="width: 33.3%; float: left;"> </div>
<div style="width: 33.3%; float: left;"><a href="https://www.cybercom.mil/About/Inspector-General/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Inspector General</span></a><br>
<a href="https://www.defense.gov/Resources/External-Link-Disclaimer" target="_blank"><span style="font-size: 12px; color: #ffffff;">Link Disclaimer</span></a><br>
<a href="http://recovery.defense.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Recovery Act</span></a><br>
<a href="http://open.defense.gov/Transparency/FOIA.aspx" target="_blank"><span style="font-size: 12px; color: #ffffff;">FOIA</span></a><br>
<a href="https://dod.usajobs.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">USA.gov</span></a><br>
<a href="http://prhome.defense.gov/NoFear/" target="_blank"><span style="font-size: 12px; color: #ffffff;">No FEAR Act</span></a>
</div>
<div style="width: 33.3%; float: left;"><a href="http://www.todaysmilitary.com/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Join the Military</span></a><br>
<a href="https://dod.usajobs.gov/" target="_blank"><span style="font-size: 12px; color: #ffffff;">DoD Careers</span></a><br>
<a href="https://www.defense.gov/Resources/Privacy" target="_blank"><span style="font-size: 12px; color: #ffffff;">Privacy & Security</span></a><br>
<a href="http://dodcio.defense.gov/DoD-Web-Policy/" target="_blank"><span style="font-size: 12px; color: #ffffff;">Web Policy</span></a><br>
<a href="http://dodcio.defense.gov/DoDSection508/Std_Stmt.aspx" target="_blank"><span style="font-size: 12px; color: #ffffff;">Accessibility/Section 508</span></a><br>
<a href="/Site-Index/"><span style="font-size: 12px; color: #ffffff;">Site Map</span></a>
</div>
</div>
</div><!-- End_Module_24677 -->
</div>
<div class="clearfix"></div>
</div>
</div>
</div>
<div class="col-md-6 col-sm-12">
<div class="skin-social-header">Staying Connected</div>
<div class="skin-social-links">
<ul class="">
<li class="">
<a href="https://www.dvidshub.net/unit/USCC" title="U.S. Cyber Command DVIDS Page" target="_blank" rel="noopener"><img title="U.S. Cyber Command DVIDS Page" src="/Portals/56/satellite%20logo36x36.png?ver=C4jv72b7pCXYpAL50u1aDg%3d%3d" alt="U.S. Cyber Command DVIDS Page"><span class="text text-link-16">DVIDS</span></a>
</li>
<li class="">
<a href="https://twitter.com/US_CYBERCOM" title="Official U.S. Cyber Command Twitter account" target="_blank" rel="noopener"><span class="social-icon fa fa-twitter social-link-84"></span><span class="text text-link-84">@US_ CYBERCOM</span></a>
</li>
<li class="">
<a href="https://twitter.com/CNMF_CyberAlert" title="Official Cyber National Mission Force Twitter account" target="_blank" rel="noopener"><span class="social-icon fa fa-twitter social-link-203"></span><span class="text text-link-203">@CNMF_CyberAlert</span></a>
</li>
</ul>
<style>
footer .skin-social-links li.hover .social-link-84 {
color: #e69138
}
footer .skin-social-links li .social-link-84 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-84 {
color: #e69138
}
footer .skin-social-links li .social-link-84 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-203 {
color: #ff9900
}
footer .skin-social-links li .social-link-203 {
color: #ffffff
}
footer .skin-social-links li.hover .social-link-203 {
color: #ff9900
}
footer .skin-social-links li .social-link-203 {
color: #ffffff
}
</style>
</div>
</div>
</div>
</div>
</div>
<div class="skin-footer-bottom"></div>
</footer>
</div>
<input name="ScrollTop" type="hidden" id="ScrollTop">
<input name="__dnnVariable" type="hidden" id="__dnnVariable" autocomplete="off" value="`{`__scdoff`:`1`,`sf_siteRoot`:`/`,`sf_tabId`:`2126`}">
<script src="/Desktopmodules/SharedLibrary/Plugins/Bootstrap/js/bootstrap.min.js?cdv=3506" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
try {
window.addthis.ost = 0;
window.addthis.ready();
} catch (e) {}
toggleClick = function(ModuleId) {
var wrapper = jQuery('#LiveHTMLWrapper' + ModuleId);
if (wrapper.find('#ReviewComment').is(":hidden")) {
wrapper.find('#ReviewComment').slideDown('slow');
wrapper.find('#toggle').addClass('close');
} else {
wrapper.find('#ReviewComment').slideUp('slow');
wrapper.find('#toggle').removeClass('close');
}
}; //]]>
</script>
</form>Text Content
Skip to main content (Press Enter).
Toggle navigation
U.S. Cyber Command
U.S. Cyber Command
*
*
Search USCYBERCOM: Search
Search
Search USCYBERCOM: Search
* Home
* About
* Mission and Vision
* History
* Leadership
* Components
* Inspector-General
* FOIA/Privacy Act
* About the Program
* Making a Freedom of Information Act (FOIA) Request
* Making a Privacy Act (PA) Request
* Reading Room
* Media
* News
* Images
* Videos
* Partnerships and Outreach
* Speaker Request Form
* Academic Engagement
* Technical Outreach Division
* Cyber Command and Small Business
* Employment Opportunities
* COVID-19
* Highlighted Updates
* DOD, Department of Defense
* CDC, Centers for Disease Control and Prevention
* NIH, National Institutes of Health
* Walter Reed National Military Medical Center
* Health.mil
* Contact Us
RECENT NEWS
U.S. Cyber Command Executive Director, David Frederick, hosts an informational
Academic Engagement Strategy webinar Jan. 6 with more than 80 academic
institutions as part of USCYBERCOM's Academic Engagement Network. In total 84
colleges and universities were selected to partner with the command and
components. Partners consist of 70 universities, 14 community colleges, nine
minority serving institutions, four military service academies, and four
military war and staff colleges. (DoD photo by Aiyana Paschal)
CYBERCOM ANNOUNCES ACADEMIC ENGAGEMENT NETWORK P...
News
Jan. 05, 2022
--------------------------------------------------------------------------------
U.S. Cyber Command (CYBERCOM) will officially announce its newest Academic
Engagement Network (AEN) college...
Read More
U.S. Army General Paul M. Nakasone, U.S. Cyber Command commander and National
Security Agency director, presents opening remarks for the 10th annual Reserve
Component Summit at Fort George G. Meade, Md., Aug. 20, 2021.
2021: A YEAR IN REVIEW
News
Dec. 29, 2021
--------------------------------------------------------------------------------
Here are some of U.S. Cyber Command’s (CYBERCOM) impactful moments of 2021: In
the last year, the cyber...
Read More
Alongside international partners from 23 countries, U.S. cyber operators test
their skills and ability to detect enemy presence, expel it, and identify
solutions to harden simulated networks during U.S. Cyber Command's CYBER FLAG
21-1 exercise.
DEPT. OF DEFENSE’S LARGEST MULTINATIONAL CYBER E...
News
Dec. 03, 2021
--------------------------------------------------------------------------------
U.S. Cyber Command’s CYBER FLAG 21-1 exercise, the largest multinational cyber
exercise to date, bolstered the...
Read More
MORE NEWS
NEWS | Jan. 12, 2022
IRANIAN INTEL CYBER SUITE OF MALWARE USES OPEN SOURCE TOOLS
Cyber National Mission Force Public Affairs
FORT MEADE, Md. –
To better enable defense against malicious cyber actors, U.S. Cyber Command’s
Cyber National Mission Force has identified and disclosed multiple open-source
tools that Iranian intelligence actors are using in networks around the world.
These actors, known as MuddyWater in industry, are part of groups conducting
Iranian intelligence activities, and have been seen using a variety of
techniques to maintain access to victim networks.
MuddyWater is an Iranian threat group; previously, industry has reported that
MuddyWater has primarily targeted Middle Eastern nations, and has also targeted
European and North American nations.
MuddyWater is a subordinate element within the Iranian Ministry of Intelligence
and Security (MOIS). According to the Congressional Research Service, the MOIS
“conducts domestic surveillance to identify regime opponents. It also surveils
anti-regime activists abroad through its network of agents placed in Iran’s
embassies."
Should a network operator identify multiple of the tools on the same network, it
may indicate the presence of Iranian malicious cyber actors.
Below are some technical aspects of how the threat actor could be leveraging
malware in networks.
These include side-loading DLLs in order to trick legitimate programs into
running malware and obfuscating PowerShell scripts to hide command and control
functions. New samples showing the different parts of this suite of tools are
posted to Virus Total, along with JavaScript files used to establish connections
back to malicious infrastructure.
www.Virustotal.com/en/user/CYBERCOM_Malware_Alert
* Previous PowGoop Sample:
* These three samples are all part of the same PowGoop instance. They were
identified in a folder with several other legitimate executables and DLLs.
Goopdate.dll uses DLL side-loading to run when a the non-malicious
executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate
goopdate.dat, which is a PowerShell script used to de-obfuscate and run
config.txt. Config.txt is a PowerShell script that establishes network
communication with the PowGoop C2 server. It uses a modified base64
encoding mechanism to send data to and from the C2 server. The IP of the C2
server is often hardcoded in config.txt
* Goopdate.dll hides comms with malicious cyber actors’ C2 servers by
executing with Google Update service.
* Additional PowGoop DLL Side-Loading variants:
* Uses same technique to de-obfuscate .dat file, which is a PowerShell script
to decode another PowerShell script with .txt file extension
* This open source code has been used for espionage & ransomware--
libpcre2-8-0.dll & vcruntime140.dll (PowGoop variant) leverage different
naming conventions to avoid antivirus & manual detection.
* Additional PowGoop Loader variants:
* Any instances of these files may indicate an attacker in the network:
Open-source cyber research found PowGoop Loader variants in compromised
networks, de-obfuscating a PowerShell script that allows an attacker
command and control functions.
* De-obfuscates .txt file, which is another PowerShell script and main C2
functionality
* Additional PowGoop C2 Beacon variants:
* These malware reach out from victim networks & contact malicious
infrastructure. If you see these files, MCAs are likely seeing their beacon
too.
* Each sample reaches out from the victim network and contacts malicious
infrastructure. If you see these files on the network, chances are they
are seeing their beacon as well.
* JavaScript samples:
* The samples issue a GET request to malicious servers. The JavaScripts are
associated with groups also employing PowGoop.
* Mori Backdoor sample:
* This sample is an indicator that a network has been compromised – this is
the Mori Backdoor and is employed by malicious cyber actors for espionage.
This malware uses DNS tunneling to communicate to its C2 infrastructure.
* This sample is a likely Mori Backdoor. This sample utilizes regsvr32.dll to
run. Key IOCs are the creation of the Mutex 0x50504060 and creation of the
registry key HKLM\SOFTWARE\NFC
SHARE
PRINT
cyber national mission force
malicious cyber actor
cyber defense
Defend Forward
Inspector General
Link Disclaimer
Recovery Act
FOIA
USA.gov
No FEAR Act
Join the Military
DoD Careers
Privacy & Security
Web Policy
Accessibility/Section 508
Site Map
Staying Connected
* DVIDS
* @US_ CYBERCOM
* @CNMF_CyberAlert
PreviousNextSlideshow