Security researchers from FireEye have spotted an Irananian threat group dubbed “TEMP.Zagros” that is targeting government and defense organizations in Asia and the Middle East.
The latest activity was observed by FireEye between January and March of 2018. The bad actors use the “latest code execution and persistence techniques” as part of a spear phishing campaign in order to distribute malicious macro-based documents and install a backdoor FireEye is tracking called “POWERSTATS”. The campaign also appears to be using geopolitical themes.
“One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system,” according to the FireEye report.