MuddyWater APT has continued targeting government and private sectors since 2017 and resumed spear-phishing campaigns in February 2024 with new techniques. The group now leverages in-house tools and compromised accounts to deliver MSI-based payloads via ZIPs and PDFs hosted on third-party file upload services, using legitimate remote management tools such as Atera and ConnectWise ScreenConnect to gain persistence and control. #MuddyWater #MuddyC2Go #Atera #ScreenConnect
Keypoints
- MuddyWater has expanded its attack surface to Israel, Africa, and Türkiye, with activity aligned to Iran’s political agenda.
- New spear-phishing campaigns in 2024 use PDFs and ZIPs containing MSI installers delivered via compromised accounts.
- Attackers weaponize third-party file upload services (Onehub, freeupload.store, filetransfer.io, egnyte.com, terabox.com, and others) to host and deliver the payloads.
- The use of legitimate RMM tools (Atera and ConnectWise ScreenConnect) enables persistence and remote control after installation.
- Threat actors add IntegratorLogin and AccountID metadata to MSI installers, targeting specific organizations and individuals (BEC-enhanced workflows).
- Threat researchers note a shift toward reducing digital footprint and increasing use of compromised accounts to distribute tools and escalate access.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The attackers deliver MSI installers via ZIPs and PDF attachments in spear-phishing emails. Quote: ‘Phishing attacks often use PDF attachments that contain agents downloaded from third-party file upload services.’
- [T1566.002] Spearphishing Link – The campaign uses download links embedded in emails or PDFs that point to tool ZIPs hosted on file upload services. Quote: ‘they attach the malicious file download links directly in emails or PDF files.’
- [T1021] Remote Services – Attackers leverage legitimate RMM tools (Atera, ScreenConnect) to gain remote access and control over victims’ devices. Quote: ‘RMM Tools: Atera and ScreenConnect are applications that offer device management (RMM) through remote connection for IT managers. Although they provide IT automation and system management, due to their legitimate software, they are often the preferred access method for various ransomware and APT groups.’
- [T1078] Valid Accounts – Compromised accounts are used to create and distribute the RMM agents. Quote: ‘agents of Atera and ConnectWise ScreenConnect remote administration management (RMM) software were created using compromised accounts.’
- [T1583] Acquire Infrastructure – The attackers take over third-party tools to facilitate campaigns. Quote: ‘taking over third-party tools.’
- [T1105] Ingress Tool Transfer – The agent build files are delivered to victims via the targeted campaigns and third-party upload services. Quote: ‘The agent build files of this software were then sent to victims via spear-phishing attacks.’
- [T1036] Masquerading – The campaign uses legitimate software names and tools (Atera, ScreenConnect) to masquerade as trusted utilities and reduce suspicion. Quote: ‘RMM Tools: Atera and ScreenConnect are applications that offer device management (RMM) through remote connection for IT managers.’
Indicators of Compromise
- [SHA256] File Hashes – e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f, Salary.msi; dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5, karel.com.tr.telekomünikasyonWebsemineri.msi (and 2 more hashes)
- [File Name] File names – Salary.msi, תםוכנת תיירות.msi (Hebrew), Leonardo Hotels-tourism software.msi (and 2 more)
- [URL] Download links to tool ZIPs – https://ws.onehub[.]com/files/4mbha9wd, https://ws.onehub[.]com/files/kwdphknm (and 2 more URLs)
- [Domain] Domains used for hosting/file-upload – onehub[.]com, egnyte[.]com, freeupload[.]store, filetransfer[.]io, terabox[.]com (and 2 more domains including snyc[.]com)
Read more: https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron