A new MuddyWater threat campaign was discovered by Deep Instinct. MuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).
Since at least 2017 MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.
MuddyWater has various campaigns that are entirely different from each other. In this post we will focus on the most recent changes and observations of their campaign which utilizes spearphishing with legitimate remote administration tools.
- Deep Instinct’s Threat Research team has identified a new campaign of the MuddyWater group.
- The campaign has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
- The campaign exhibits updated TTPs to previously reported MuddyWater activity.
MuddyWater Exploiting Legitimate Tools
Previous research has shown that in 2020 MuddyWater sent spearphishing emails with direct links as well as PDF and RTF attachments containing links to archives hosted at “ws.onehub.com.”
Those archives contained the installer for “RemoteUtilities,” a legitimate remote administration tool.
Since the beginning of 2021, MuddyWater has been observed sending spearphishing emails containing either direct links or Word documents with links to archives hosted at “ws.onehub.com.”
The archives from 2021 contained installers for ScreenConnect, another legitimate remote administration tool.
In July 2022 a potential file related to this campaign was observed, but it contained Atera Agent instead of the usual ScreenConnect, potentially signaling the threat actor switched to another remote administration tool to avoid detection of their long running campaign.
A new discovery: The current MuddyWater campaign
The most recent MuddyWater campaign was observed by Deep Instinct in the beginning of October and possibly started in the September timeframe.
What makes this campaign different from previous waves is the use of a new remote administration tool named “Syncro.”￼
A new lure in the form of an HTML attachment was observed, along with the addition of other providers for hosting the archives containing the installers of the remote administration tool.
The previous July sample with ScreenConnect mentioned earlier, was named “promotion.msi.”
In the current campaign there was a sample that had few names; one of them was also “promotion.msi.”
The above ScreenConnect sample was communicating with “instance-q927ui-relay.screenconnect.com.” This instance was communicating with another MuddyWater MSI installer named “Ertiqa.msi” which is a name of a Saudi organization.
In the current wave, MuddyWater used the same name “Ertiqa.msi,” but with Syncro installer.
The target geolocations and sectors also align with previous targets of MuddyWater. Combined, these indicators provide us with enough proof to confirm that this is the MuddyWater threat group.
EXAMPLE #1: Egyptian Hosting Company
Direct links to Dropbox:
This mail was sent from an Egyptian data hosting company, unlike previous campaigns using OneHub. This time MuddyWater used Dropbox to host the archive with the Syncro installer:
HTML attachment leading to OneDrive:
On the same date the email with the Dropbox link was sent, MuddyWater sent another email from the same address of an Egyptian hosting company to another Egyptian hosting company.
Instead of embedding a direct link in the email message, an HTML attachment was sent. This is a well-known technique to build trust. The receiving end knows the company who sent the mail. The attachment is not an archive or an executable which doesn’t raise end-user suspicion because HTML is mostly overlooked in phishing awareness trainings and simulations.
HTML is considered “safer,” at least from an anti-virus (AV) and email security solutions point of view. Although those solutions have the ability to scan HTML, they are often still delivered to the recipients and not blocked.
The link inside the HTML file leads to OneDrive this time, hosting an archive containing Syncro MSI installer.
EXAMPLE #2: Israeli Hospitality Industry
In another example from early November, MuddyWater sent an email from a company in the Israeli hospitality industry to a wide number of contacts across different Israeli insurance companies:
In this mail the company from the hospitality industry is looking for insurance.
The text is written in Hebrew, but a native speaker will find it suspicious due to a poor choice of words.
Once again, the link leads to an archive hosted on OneDrive which contain Syncro MSI installer:
Despite those new TTPs, most of the Syncro installers are still hosted in OneHub:
What is unclear is whether or not MuddyWater gained full access to the email server or only the credentials to one email box. The emails are sent from legitimate corporate accounts. We see that in spite of the low level of sophistication that this tactic can be effective.
Syncro: A tool used by multiple threat actors
Syncro is a fully-featured platform for Managed Service Provider’s (MSPs) to run their business.
Syncro provides an agent for MSPs to manage any device that has Syncro installed with the custom-made provided MSI file that includes the customerID.
Syncro has a 21-day trial offer. You choose the subdomain to be used by your MSP:
While investigating some of the installers that MuddyWater used, we see that for each unique mail a new MSI was used. In most cases MuddyWater used a single subdomain with a single MSI installer.
It seems that most of the subdomains don’t have any useful meaning, although a few are clear:
- mohammadosman6060 and osmandembele4040 are football players
- netanyahu8585 and benet5050 are the current and former prime ministers of Israel
- Cham Wings is the name of a Syrian airline
The trial version contains the fully featured web GUI which allows complete control over a computer with the Syncro agent installed:
Those features are standard for remote administration tools, such as terminal with SYSTEM privileges, remote desktop access, full file system access, tasks, and services manager.
All those features combined with a signed MSI installer creates the perfect weapon for a threat actor to gain initial access and start performing recon on the target. Later, they enable the threat actors to deploy additional backdoors, exfiltrate files, or hand-off access to other threat actors. A threat actor that has access to a corporate machine via such capabilities has nearly limitless options.
We have recently described other dual-use tools that are being abused for malicious purposes. We recommend that security teams monitor for remote desktop solutions that are not common in the organization as they have a higher chance of being abused.
|Initial Access||T1566.001 Phishing: Spearphishing Attachment||MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.||aaa9db79b5d6ba319e24e6180a7935d6|
|Initial Access||T1566.002 Phishing: Spearphishing Link||MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails containing links to legitimate domains hosting archives with remote management software.||d1b4ca2933f49494b4400d5bf5ab502e|
|Command and Control||T1219 Remote Access Software||MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally.||2ed6ebaa28a9bfccc59c6e89a8990631|
|Resource Development||T1588.002 Obtain Capabilities: Tool||MuddyWater has used a legitimate application, Syncro, to manage systems remotely and move laterally.||2ed6ebaa28a9bfccc59c6e89a8990631|
|Resource Development||T1583.006Acquire Infrastructure: Web Services||MuddyWater has used file sharing services including OneHub, Dropbox, and OneDrive to distribute tools.||https://urlscan.io/result/c6f46810-ee19-47b4-8717-40dc09b4ea09/
– archived scan of a Dropbox URL containing an archive with Syncro installer.
Autor: Simon Kenin, THREAT INTELLIGENCE RESEARCHER