MuddyWater (aka Static Kitten, Mercury) is an Iran MOIS-linked cyber espionage group that has expanded its targeting with campaigns using spearphishing and legitimate remote administration tools. The latest campaign uses HTML attachments and hosted archives to deliver Syncro MSI installers, targeting multiple Middle Eastern and global entities across sectors.
#MuddyWater #Syncro #ScreenConnect #OneHub #OneDrive #Dropbox #Atera #Ertiqa
#MuddyWater #Syncro #ScreenConnect #OneHub #OneDrive #Dropbox #Atera #Ertiqa
Keypoints
- The latest MuddyWater campaign employs spearphishing to distribute MSI installers for legitimate remote administration tools (Syncro).
- Targets span Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates, aligning with previous MuddyWater focus areas.
- The actor previously used tools like RemoteUtilities and ScreenConnect; in this wave, Syncro is the primary tool, with potential adoption of Atera Agent in July 2022.
- Attack chains combine direct links or HTML attachments with archives hosted on OneHub, Dropbox, and OneDrive to deliver installers.
- Syncro is presented as a fully featured MSP platform, enabling remote control, file access, and other admin capabilities via MSI installers signed for each target.
- End users may be bypassed through HTML attachments and legitimate-looking emails from compromised or legitimate corporate accounts.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – MuddyWater compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients. “MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.”
- [T1566.002] Phishing: Spearphishing Link – MuddyWater compromised third parties and used compromised accounts to send spearphishing emails containing links to legitimate domains hosting archives with remote management software. “MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails containing links to legitimate domains hosting archives with remote management software.”
- [T1219]Remote Access Software – MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally. “MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally.”
- [T1588.002] Obtain Capabilities: Tool – MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally. “MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally.”
- [T1583.006] Acquire Infrastructure: Web Services – MuddyWater has used file sharing services including OneHub, Dropbox, and OneDrive to distribute tools. “MuddyWater has used file sharing services including OneHub, Dropbox, and OneDrive to distribute tools.”
Indicators of Compromise
- [Hash] – f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311, efd5271bdb57f52b4852bfda05122b9ff85991c0600befcbd045f81d7a78eac5
- [Hash] – d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62, 1670a59f573037142f417fb8c448a9022c8d31a6b2bf93ad77a9db2924b502af
- [URL] – https://urlscan.io/result/c6f46810-ee19-47b4-8717-40dc09b4ea09/
- [Domain] – instance-q927ui-relay.screenconnect.com
- [File] – Ertiqa.msi, promotion.msi
Read more: https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks