Iranian MuddyWater Hacker Group Utilizing ScreenConnect for Nefarious Purposes

Anomali Threat Research has identified a campaign, probably by the Iran-based cyberespionage group Static Kitten (aka MuddyWater), targeting government agencies in the Middle East.

Key findings

The Static Kitten group has been steadily using Israeli geopolitical-themed lures, Ministry of Foreign Affairs references, and file-storage service Onehub.
  • The key component of Static Kitten’s recent campaign is a remote management tool called ConnectWise Control (formerly ScreenConnect) with unique launch parameters that have custom properties.
  • The researchers have identified two ZIP files, hosted on Onehub and with trendy government agency-themed lure, directing users to a downloader URL that tricks recipients into launching the hidden ScreenConnect installation process.
  • The use of ScreenConnect enables the group to connect to endpoints on client networks, conduct further lateral movements, and facilitate automated actions on data theft objectives.

Static Kitten’s recent arsenal update

  • One month ago, the group had added malware to its arsenal that leveraged weaponized Word documents to download a PowerShell script from GitHub.
  • The PowerShell script further downloaded a legitimate image file from image hosting service Imgur to calculate a Cobalt Strike payload on Windows systems.
  • In October 2020, Static Kitten was found using PDF-based dropper tools, Covicli backdoor, and PowGoop Loader for its Operation Quicksand campaign.

Closing notes

Static Kitten has continuously raised its level of sophistication over the past few months. The utilization of legitimate software and service for malicious purposes helps the criminals obfuscate easily, making it an ever-growing dreadful threat. Organizations today must have access to threat intelligence and analysis that enables them to conduct efficient investigations, detect threats, and drive swift response.
Cyware Publisher

Publisher

Cyware