The United States Cyber Command (CYBERCOM) has identified and disclosed multiple tools that Iranian intelligence actors are using in networks around the world, according to a report from the US Department of Defense.
REFERENCES:
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
ADVERSARY:
MALWARE FAMILIES:
MuddyWater, Mori, PowGoop
ATT&CK IDS:
T1003 - OS Credential Dumping, T1016 - System Network Configuration Discovery, T1027 - Obfuscated Files or Information, T1033 - System Owner/User Discovery, T1036 - Masquerading, T1041 - Exfiltration Over C2 Channel, T1047 - Windows Management Instrumentation, T1049 - System Network Connections Discovery, T1053 - Scheduled Task/Job, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1090 - Proxy, T1102 - Web Service, T1104 - Multi-Stage Channels, T1105 - Ingress Tool Transfer, T1113 - Screen Capture, T1132 - Data Encoding, T1137 - Office Application Startup, T1140 - Deobfuscate/Decode Files or Information, T1203 - Exploitation for Client Execution, T1204 - User Execution, T1218 - Signed Binary Proxy Execution, T1219 - Remote Access Software, T1518 - Software Discovery, T1547 - Boot or Logon Autostart Execution, T1548 - Abuse Elevation Control Mechanism, T1552 - Unsecured Credentials, T1555 - Credentials from Password Stores, T1559 - Inter-Process Communication, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1566 - Phishing, T1583 - Acquire Infrastructure, T1588 - Obtain Capabilities, T1589 - Gather Victim Identity Information, T1574.001 - DLL Search Order Hijacking, T1059.001 - PowerShell, T1572 - Protocol Tunneling, T1505.003 - Web Shell, T1190 - Exploit Public-Facing Application, T1220 - XSL Script Processing
*Beware click the link!