In one instance, the Output Messenger client on a victim's device connected to an IP address linked to the Marbled Dust threat group, likely for data exfiltration, shortly after the attacker instructed the malware to collect files and archive them as a RAR archive. Microsoft Threat Intelligence analysts who spotted these attacks also discovered the security flaw (CVE-2025-27920) in the LAN messaging application, a directory traversal vulnerability that can let authenticated attackers access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder. "While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft said. Microsoft revealed on Monday that the hacking group (also tracked as Sea Turtle, SILICON, and UNC1326) targeted users who hadn't updated their systems to infect them with malware after gaining access to the Output Messenger Server Manager application. After compromising the server, Marbled Dust hackers could steal sensitive data, access all user communications, impersonate users, gain access to internal systems, and cause operational disruptions. Last year, Marbled Dust was also linked to multiple espionage campaigns targeting organizations in the Netherlands, mainly targeting telecommunications companies, internet service providers (ISPs), and Kurdish websites between 2021 and 2023. Marbled Dust is known for targeting Europe and the Middle East, focusing on telecommunications and IT companies, as well as government institutions and organizations opposing the Turkish government. They're also exploiting their access to compromised DNS registries to change government organizations' DNS server configurations, which allows them to intercept traffic and steal credentials in man-in-the-middle attacks. A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq. "This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft added. Next, the attackers deployed a backdoor (OMServerService.exe) onto the victims' devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and then provided the threat actors with additional information to identify each victim.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 12 May 2025 17:34:54 +0000