New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

Deep Instinct identified a new MuddyWater threat campaign active since at least 2017, and frequently conducts campaigns against high-value targets in American, European, and Asian countries.

MuddyWater, also known as MERCURY or Static Kitten, is an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by U.S. Cyber Command. 

New Campaign of the MuddyWater Group

Previous studies have revealed that in 2020 MuddyWater sent spearphishing emails with direct links as well as PDF and RTF attachments containing links to archives hosted at “ws[.]onehub[.]com.”

Those archives contained the installer for “RemoteUtilities,” a legitimate remote administration tool.

Campaign Overview

Beginning of 2021, Spearphishing emails sent by MuddyWater have been seen to contain either direct links or Word documents with connections to archives. 

“A potential file related to this campaign was observed, but it contained Atera Agent instead of the usual ScreenConnect, potentially signaling the threat actor switched to another remote administration tool to avoid detection of their long-running campaign”, explains Deep Instinct researcher.

Further, the introduction of a brand-new remote management tool by the name of “Syncro” sets this campaign apart from previous waves. 

Syncro is a fully-featured platform for Managed Service Providers (MSPs) to run their business. Syncro provides an agent for MSPs to manage any device that has Syncro installed with the custom-made provided MSI file.

Along with the installation of additional hosts for the archives containing the installers of the remote administration tool, a new enticement in the form of an HTML attachment was seen.

Email containing a direct link to Dropbox

This email was sent from an Egyptian data hosting company. This time, MuddyWater hosted the archive with the Syncro installation using Dropbox.

Zip archive hosted on Dropbox containing MSI installer for Syncro

In this case, MuddyWater sent another email from the same address of an Egyptian hosting company to another Egyptian hosting company on the same day. The email was sent with an HTML attachment, the attachment is not an archive or an executable which doesn’t raise end-user doubt as HTML is mostly overlooked in phishing awareness training and simulations.

HTML attachment containing a link to OneDrive

The link inside the HTML file directs users to OneDrive, where an archive containing the Syncro MSI installer is hosted.

Final Word

“All those features combined with a signed MSI installer creates the perfect weapon for a threat actor to gain initial access and start performing recon on the target”, according to Deep Instinct

It is advisable to keep a lookout for remote desktop solutions that are uncommon within the company as they are more likely to be misused.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace