As part of a new spear-phishing campaign, the Iran-linked MuddyWater threat actor has been recognized trying to target numerous countries in the Middle East, as well as Central and West Asia. The group sends phishing messages to their targets via compromised corporate email accounts.
MuddyWater has previously used legitimate remote administration tools in its hacking activities. Researchers discovered campaigns from this group that used RemoteUtilities and ScreenConnect in 2020 and 2021. It typically conducts espionage operations in the Middle East, Asia, Europe, North America, and Africa against both public and private organizations (telcos, local governments, defense, and oil and gas companies).
MuddyWater’s long-standing tactic of using phishing lures with direct Dropbox links or document attachments with an embedded URL pointing to a ZIP archive file is used in the current intrusion set. The messages are sent from compromised corporate email accounts that are being sold on the darknet for $8 to $25 per account by webmail shops like Xleet, Odin, Xmina, and Lufix.
While the archive files previously contained installers for legitimate tools such as ScreenConnect and RemoteUtilities, the actor was seen switching to Atera Agent in July 2022 in an attempt to remain undetected.
However, the attack tactics have been reworked yet again to produce a different remote administration tool called Syncro, indicating that the campaign is being actively maintained and updated.
The integrated MSP software allows the adversary to fully control a machine, allowing them to perform intelligence gathering, deploy additional backdoors, and even sell access.
The sources for this piece include an article in Bleepingcomputer.