Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies

  • UAE and Kuwait govt businesses are targets of a new cyberespionage marketing campaign perhaps carried out by Iranian threat actors, according to new exploration.

    Attributing the operation to be the work of Static Kitten (aka MERCURY or MuddyWater), Anomali mentioned the “aim of this exercise is to put in a remote administration tool called ScreenConnect (obtained by ConnectWise 2015) with special launch parameters that have custom qualities,” with malware samples and URLs masquerading as the Ministry of International Affairs (MOFA) of Kuwait and the UAE National Council.

    Considering that its origins in 2017, MuddyWater has been tied to a amount of attacks primarily against Middle Eastern nations, actively exploiting Zerologon vulnerability in genuine-environment attack campaigns to strike prominent Israeli businesses with destructive payloads.

    The state-sponsored hacking team is considered to be operating at the behest of Iran’s Islamic Republic Guard Corps, the country’s primary intelligence and military services assistance.

    Anomali claimed it noticed two separate lure ZIP data files hosted on Onehub that claimed to incorporate a report on relations amongst Arab nations and Israel or a file relating to scholarships.

    “The URLs distributed through these phishing e-mails immediate recipients to the intended file storage place on Onehub, a legitimate service known to be utilized by Static Kitten for nefarious needs,” the researchers famous, adding “Static Kitten is continuing to use Onehub to host a file that contains ScreenConnect.”

    The attack commences by directing users to a downloader URL pointing to these ZIP files through a phishing email that, when opened, launches the set up system for ScreenConnect, and subsequently makes use of it to converse with the adversary. The URLs themselves are dispersed by way of decoy files embedded in the email messages.

    ConnectWise Manage (previously identified as ScreenConnect) is a self-hosted distant desktop program application with support for unattended Entry and meetings with monitor-sharing functions.

    The ultimate target of the attackers, it seems, is to use the computer software to connect to endpoints on shopper networks, enabling them to perform further lateral actions and execute arbitrary commands in goal environments in a bid to facilitate facts theft.

    “Employing authentic software program for malicious purposes can be an efficient way for menace actors to obfuscate their operations,” the researchers concluded. “In this latest instance, Static Kitten is pretty very likely working with functions of ScreenConnect to steal sensitive information and facts or obtain malware for added cyber operations.”

    Discovered this report exciting? Comply with THN on Fb, Twitter  and LinkedIn to study much more unique information we submit.