MuddyWater threat actors send MSP remote access tool via hacked corporate email accounts

Share post:

As part of a new spear-phishing campaign, the Iran-linked MuddyWater threat actor has been recognized trying to target numerous countries in the Middle East, as well as Central and West Asia. The group sends phishing messages to their targets via compromised corporate email accounts.

MuddyWater has previously used legitimate remote administration tools in its hacking activities. Researchers discovered campaigns from this group that used RemoteUtilities and ScreenConnect in 2020 and 2021. It typically conducts espionage operations in the Middle East, Asia, Europe, North America, and Africa against both public and private organizations (telcos, local governments, defense, and oil and gas companies).

MuddyWater’s long-standing tactic of using phishing lures with direct Dropbox links or document attachments with an embedded URL pointing to a ZIP archive file is used in the current intrusion set. The messages are sent from compromised corporate email accounts that are being sold on the darknet for $8 to $25 per account by webmail shops like Xleet, Odin, Xmina, and Lufix.

While the archive files previously contained installers for legitimate tools such as ScreenConnect and RemoteUtilities, the actor was seen switching to Atera Agent in July 2022 in an attempt to remain undetected.

However, the attack tactics have been reworked yet again to produce a different remote administration tool called Syncro, indicating that the campaign is being actively maintained and updated.

The integrated MSP software allows the adversary to fully control a machine, allowing them to perform intelligence gathering, deploy additional backdoors, and even sell access.

The sources for this piece include an article in Bleepingcomputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways