Hackers use corporate emails to send MSP remote access tool in phishing operation

Hackers from MuddyWater, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to send phishing messages to their targets.

The group adopted the new tactic in a campaign that could have started in September but was not observed until October and combined the use of a legitimate remote administration tool.

From one MSP tool to another

MuddyWater has used legitimate remote administration tools for its hacking activities in the past. Researchers found campaigns from this group in 2020 and 2021 that relied on RemoteUtilities and ScreenConnect.

In another campaign in July, the pirates continued this tactic but switched to Atera, because highlighted by Simon Keninsecurity researcher at Deep Instinct.

Deep Instinct researchers captured a new MuddyWater campaign in October that used Syncroa remote administration tool designed for managed service providers (MSPs).

Kenin notes in a report today that the initial infection vector is phishing sent from a legitimate corporate email account that hackers have compromised.

MuddyWater Campaign Preview
MuddyWater Campaign Preview
source: Deep Instinct

The researcher told BleepingComputer that even though the company’s official signature was missing from the phishing message, victims still trusted the email because it came from a legitimate address belonging to a company they know. .

Among the targets of this campaign are two Egyptian hosting companies, one of which was hacked to send phishing emails. The other was the recipient of the malicious message.

“It’s a known technique for building trust. The recipient knows the company that sent the mail,” Kenin explains in a report today.

To reduce the chances of being detected by email security solutions, the attacker attached an HTML file containing the link to download the Syncro MSI installer.

“Attachment is not an archive or executable that does not arouse end-user suspicion as HTML is typically overlooked in phishing awareness trainings and simulations” – Deep Instinct

The tool was hosted on Microsoft’s OneDrive file storage. A previous message sent from the Egyptian hosting company’s compromised email account stored the Syncro installer on Dropbox.

However, the researcher claims that most of the Syncro installers used by MuddyWater are hosted on OneHub’s cloud storage, a service the actor has used for his hacking campaigns in the past.

Syncro has been used by other threat actors such as BatLoader and LunaMoth. The tool has a 21-day trial version that comes with the full web interface and offers full control of a computer with the Syncro Agent installed.

Once on the target system, attackers can use it to deploy backdoors to establish persistence as well as steal data.

Other targets of this MuddyWater campaign include several insurance companies in Israel. The actor used the same tactic and sent the emails from a hacked email account belonging to an Israeli hospitality industry entity.

Under the guise of seeking insurance, the hackers added an HTML attachment with a link to the Syncro installer hosted on OneDrive.

MuddyWater phishing email sent to insurance companies
MuddyWater phishing email targeting insurance companies in Israel
source: Deep Instinct

Kenin observes that even though the email was written in Hebrew, a native speaker could spot the red flags due to poor word choice.

MuddyWater’s tactics aren’t particularly sophisticated, but show that freely available tools can be effective for hacking operations.

The actor is followed by different names (Static Kitten, Cobalt Ulster, Mercury) and has been active since at least 2017.

It typically engages in espionage operations that target both public and private organizations (telecoms, local governments, defense, oil and gas companies) in the Middle East, Asia, Europe, North America and in Africa.


Source link