MSP remote access tool sent via MuddyWater phishing campaign
Deep Instincts researchers have uncovered a hacker group known as MuddyWater, which has been linked to Iran’s Ministry of Intelligence and Security and typically engages in covert operations operations targeting both public and private organizations, uses compromised corporate emails to send phishing messages to targets in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates.
According to a Deep Instinct report, MuddyWater used Dropbox links or document attachments with a URL redirecting to a ZIP archive file as lures in its campaign, which also included the use of compromised corporate email accounts. Attackers have also switched to Atera Agent after including Remote Utilities and ScreenConnect installers in their archive files.
MuddyWater also employs Syncro, a remote administration tool designed for managed service providers (MSPs) that could give attackers complete machine control, allowing them to conduct reconnaissance, deliver additional backdoors, and sell access to other threat actors.
The ﬁrst phishing emails were sent from genuine company email accounts that had been attacked by the hackers, but there were no company signatures on the phishing emails sent by the hacker group. The target, however, trusted the email because it came from an authentic address belonging to a company they knew.
The hacker group attached an HTML file with a link to download the Syncro MSI Installer to reduce the risk of being detected by security software/tools. The APT group used an HTML attachment as a lure and used third-party providers to host the archives containing the remote administration tool installers.
Furthermore, the attachment is not an archive or an executable, which does not raise the user’s suspicions because HTML is frequently ignored in phishing training and simulations. Also, because HTML attachments are frequently delivered to recipients and are not blocked by antivirus or email security software.
The service was said to be hosted on Microsoft OneDrive file storage, and the previous email was sent from the Egyptian hosting company’s compromised email account, and the Syncro installer was stored in Dropbox.
The sources for this piece include an article in BleepingComputer.