U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

MuddyWater APT group is back with updated TTPs

The Iran-linked MuddyWater APT is targeting countries in the Middle East as well as Central and West Asia in a new campaign. Deep Instinct’s Threat Research team uncovered a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates. The […]

MuddyWater

The Iran-linked MuddyWater APT is targeting countries in the Middle East as well as Central and West Asia in a new campaign.

Deep Instinct’s Threat Research team uncovered a new campaign conducted by the MuddyWater APT (aka SeedWormTEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.

The experts pointed out that the campaign exhibits updated TTPs.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The group evolved over the years by adding new attack techniques to its arsenal. Over the years the APT group also has also targeted European and North American nations. In January, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The campaign observed by Deep Instinct started in September differs from past ones for the use of a new remote administration tool named “Syncro.” MuddyWater is not the only threat actor abusing Syncro, the tool has also been employed in BatLoader and Luna Moth campaigns

The APT group used an HTML attachment as a lure and used additional providers for hosting the archives containing the installers of the remote administration tool.

HTML attachments are often delivered to the recipients and not blocked by antivirus and email security solutions.

In July, the threat actors were spotted using the ScreenConnect remote administration tool delivered using an installer named “promotion.msi.” The name “promotion.msi” was also used for the installers employed in the current campaign.

“The above ScreenConnect sample was communicating with “instance-q927ui-relay.screenconnect.com.” This instance was communicating with another MuddyWater MSI installer named “Ertiqa.msi” which is a name of a Saudi organization. In the current wave, MuddyWater used the same name “Ertiqa.msi,” but with Syncro installer.” reads the Deep Instinct’s analysis. “The target geolocations and sectors also align with previous targets of MuddyWater. Combined, these indicators provide us with enough proof to confirm that this is the MuddyWater threat group.”

MuddyWater

Syncro has a 21-day trial offer that provides a fully featured web GUI to completely control a computer.

“You choose the subdomain to be used by your MSP.” continues the report. “While investigating some of the installers that MuddyWater used, we see that for each unique mail a new MSI was used. In most cases MuddyWater used a single subdomain with a single MSI installer.”

The experts also shared Indicators of Compromise (IoCs) for the recent campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MuddyWater)

[adrotate banner=”5″]

[adrotate banner=”13″]