Iran-linked MuddyWater APT group, also known as Static Kitten, has switched to a freely available remote administration tool in its recent hacking operations. According to a report published in October, the group now uses the legitimate Syncro tool, since at least September, in its spearphishing tactics.
In March 2021, the group was observed using other remote administration tools used by MSPs, including RemoteUtilities and ScreenConnect.
Campaign overview
Muddy Water, in this campaign, leverages phishing and spearphishing techniques as initial vectors via hijacked corporate email accounts.
- According to Deep Instinct researchers, MuddyWater now exploits Syncro, an integrated business platform designed for MSPs.
- It sends emails with an HTML file attachment containing the link to download the Syncro MSI installer, which is typically hosted either on Microsoft’s OneDrive file storage or OneHub’s cloud storage.
- Once Syncro is installed, it provides full control of the compromised system, which attackers can use to deploy backdoors to establish persistence and steal data.
Targets
The ongoing MuddyWater campaign is targeting organizations in several countries, including Armenia, Azerbaijan, Iraq, Jordan, Oman, Qatar, Tajikistan, and the UAE.
- In one specific instance, it targeted two Egyptian hosting companies. The group breached one of them to send out phishing emails and the other was the recipient of the malicious message.
- In other instances, they compromised emails from an account belonging to an entity in the Israeli hospitality industry and targeted multiple insurance companies in Israel.
Conclusion
MuddyWater has more often abused legitimate remote administration tools in the past and with Syncro, which multiple MSPs use in their businesses, the group is turning into an even bigger threat. Organizations using such tools are advised to monitor and manage against cyber threats and take precautionary measures.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d021_shutterstock_661733230.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5ecb_shutterstock_2162189945.jpg)
