cat near a muddy puddle

Iranian hacking group uses compromised email accounts to distribute MSP remote access tool

Researchers have uncovered a new campaign by hacking group MuddyWater, aka Static Kitten, in which a legitimate remote access tool is sent to targets from a compromised email account. The targets in this campaign are reportedly in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates.

MuddyWater is suspected of being associated with Iran’s Ministry of Intelligence and Security. The group is tracked by various vendors under other names such as Boggy Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static Kitten, and TEMP.Zagros. The group is believed to have targeted a variety of government and private organizations across various sectors, including telecommunications, local governments, defense, oil, and natural gas.

Over the years, the group has deployed many different tactics, including Log4Shell attacks. Its most common method is to send targeted phishing emails with links to malware hosted on legitimate services like Dropbox and Onehub.

Compromised accounts

The emails are sent from compromised accounts which is a way to establish a level of trust without requiring a high skill level on the attacker’s side. In a targeted attack, the receiving end knows the company or maybe even the person who allegedly sent the mail. Compromised email accounts can be bought on Dark Web markets for a relatively low fee (price range is $8-$25). 

The downloaded files contain an installer for the agent of a remote access tool. Remote access tools or remote control software, let you remotely control one computer from another. The remote control features of some of these tools give the controller the feeling they are working directly on the remote system, along with a high level of control. For this reason they are often installed by managed service providers (MSPs) to remotely troubleshoot or administer their clients’ systems.

Syncro

In the past, MuddyWater used ScreenConnect, RemoteUtilities, and Atera Agent, but in the current campaign the group has switched to Syncro, an integrated business platform for MSPs. The trial version of Syncro that the threat actor distributed contains the fully featured web interface which allows complete control over a computer with the Syncro agent installed. Those features include terminal with SYSTEM privileges, remote desktop access, full file system access, tasks, and services manager—ideal for an attacker to expand their foothold across the target’s network.

Mitigation

This threat actor uses legitimate services and tools to gain initial access and do reconnaissance of the target network, so they can be hard to detect.

The article by Deep Instinct contains a list of IOCs and TTPs. In general, we can only repeat:

  • Don’t click on links or open unexpected attachments, even if they seem to come from someone you know.
  • While there could be legitimate reasons for the presence of remote access tools, make sure you know who installed them and why. And monitor their actions.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.