ClickCease MSP remote access tool sent via MuddyWater phishing campaign

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

MSP remote access tool sent via MuddyWater phishing campaign

Obanla Opeyemi

December 19, 2022 - TuxCare expert team

Deep Instincts researchers have uncovered a hacker group known as MuddyWater, which has been linked to Iran’s Ministry of Intelligence and Security and typically engages in covert operations operations targeting both public and private organizations, uses compromised corporate emails to send phishing messages to targets in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates.

According to a Deep Instinct report, MuddyWater used Dropbox links or document attachments with a URL redirecting to a ZIP archive file as lures in its campaign, which also included the use of compromised corporate email accounts. Attackers have also switched to Atera Agent after including Remote Utilities and ScreenConnect installers in their archive files.

MuddyWater also employs Syncro, a remote administration tool designed for managed service providers (MSPs) that could give attackers complete machine control, allowing them to conduct reconnaissance, deliver additional backdoors, and sell access to other threat actors.

The first phishing emails were sent from genuine company email accounts that had been attacked by the hackers, but there were no company signatures on the phishing emails sent by the hacker group. The target, however, trusted the email because it came from an authentic address belonging to a company they knew.

The hacker group attached an HTML file with a link to download the Syncro MSI Installer to reduce the risk of being detected by security software/tools. The APT group used an HTML attachment as a lure and used third-party providers to host the archives containing the remote administration tool installers.

Furthermore, the attachment is not an archive or an executable, which does not raise the user’s suspicions because HTML is frequently ignored in phishing training and simulations. Also, because HTML attachments are frequently delivered to recipients and are not blocked by antivirus or email security software.

The service was said to be hosted on Microsoft OneDrive file storage, and the previous email was sent from the Egyptian hosting company’s compromised email account, and the Syncro installer was stored in Dropbox.

The sources for this piece include an article in BleepingComputer.

MSP remote access tool sent via MuddyWater phishing campaign
Article Name
MSP remote access tool sent via MuddyWater phishing campaign
Deep Instincts researchers have uncovered a hacker group known as Muddy Water, linked to to Iran's Ministry of Intelligence and Security.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023