A malicious group associated to Iran’s Ministry of Intelligence and Security (MOIS), MuddyWater, was reported responsible for delivering phishing messages through compromised corporate email accounts.
Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and The United Arab Emirates are among the countries targeted by this phishing campaign.
For MuddyWater aka Static Kitten aka Mercury it’s not the first time they use legitimate remote administration tools for malicious activities, they were previously reported to use similar techniques in 2020 and 2021.
MuddyWater’s New Cyberattack Explained
Researchers took notice of the new phishing campaign in October, but they suspect it has been ongoing since September.
Threat actors placed direct Dropbox links in the email messages or HTML attachments, in order to lure their victims. The latter is known as a better technique to gain trust when the victim knows the company who sent the mail. As HTML is mostly overlooked in phishing awareness training and simulations, it usually does not raise end-user suspicion.
Although antivirus and email security solutions can scan HTML, they consider it safer and avoid blocking it.
It’s worth mentioning here that the messages are sent from already compromised corporate email accounts, which are being offered for sale on the darknet by webmail shops like Xleet, Odin, Xmina, and Lufix anywhere between $8 to $25 per account.
However, the novelty of this attack’s way of work resides in the use of the Syncro remote administration tool.
Was Syncro Used Before in Cyberattacks?
Managed Service Providers (MSPs) use Syncro to run their businesses, as it allows their agents to manage any kind of device that has the platform installed. It’s not only the MuddyWater group that has been exploiting Syncro, BatLoader and Luna Moth used it too.
Researchers state that Syncro ”offers a way to completely control a machine, allowing the adversary to conduct reconnaissance, deploy additional backdoors, and even sell access to other actors.”
MuddyWater is considered an espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017, according to cybersecurity specialists. Until now, its attacks were launched against telecommunication and oil companies, and government and defense institutions.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.