Since the last few years, the Iran-based MuddyWater threat actor group has been using various legitimate remote control tools, such as ScreenConnect, RemoteUtilities, and Syncro, with the intent to avoid detection. In the fall of 2022, the APT group added yet another legitimate tool, SimpleHelp, to ensnare more victims.
Key findings
According to Group-IB researchers, MuddyWater used SimpleHelp remote control tool for the first time on June 30, 2022.
- The APT uses the tool to take control of the victim’s device and maintain persistence while avoiding detection by traditional security tools.
- In addition to connecting remotely, the tool also enables attackers to execute various commands on the victim’s device, including those that require administrator privileges.
- The attackers have also been linked to multiple publicly known IP addresses that were used in different attacks against organizations in the Middle East.
Infection method
- The attackers sent phishing emails containing links to file storage systems such as OneDrive, Dropbox, or OneHub to download SimpleHelp installers.
- Upon installation, the group initiates the process of gaining access to compromised systems and later deploys the final payloads.
Another new finding from Microsoft
- Last week, Microsoft shared details of a new espionage campaign by DEV-1084, a financially motivated cybercriminal group connected to MuddyWater.
- The attackers used an IP address and a VPN provider, previously used by MuddyWater, to launch destructive attacks disguised as ransomware.
- The attack also involved the use of web shells, legitimate tools, PowerShell scripts, and administrative user accounts.
Conclusion
Researchers have shared the list of IP addresses where SimpleHelp is installed and is being used by MuddyWater. While many details of the attack campaign remain unknown, organizations are recommended to use network indicators and email security tools to proactively block the malicious IP addresses.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/967f_shutterstock_2003133539.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/65f5_Shutterstock_1676474806.jpg)
