MuddyWater APT Uses ScreenConnect to Spy on Middle East Governments

Security experts from Anomali have revealed a targeted cyber-espionage operation aimed at the United Arab Emirates (UAE) and Kuwait governments. The malicious campaign was launched by an Iranian state-sponsored actor known as MuddyWater (Static Kitten, MERCURY, Seedworm). According to the researchers, adversaries relied on the legitimate software tool ConnectWise Control (formerly ScreenConnect) to move laterally across the compromised networks and deliver malware to victims.

MuddyWater Attack Kill Chain

The new MuddyWater campaign is a subsequent step of the ongoing malicious activity aimed to interfere with the UAE and Israel political decisions. Throughout 2020, the relations between the two governments evolved towards normalization, becoming a ground for increased tensions in the region. Iran-linked hackers continuously attacked the Kuwaiti Ministry of Foreign Affairs (MOFA) after it announced the intent to lead the mediation process between Saudi Arabia and Iran. Also, in October 2020, MuddyWater threat actors launched Operation Quicksand to compromise major Israeli vendors.

The latest MuddyWater attack against UAE and Kuwait government institutions starts with a phishing email containing decoy documents attached. The documents prompt users to follow the malicious downloader links, that if clicked, redirect victims to the OneHub cloud storage. Two separate ZIP files hosted there purport to be a report on UAE-Israel relationships and a scholarship announcement. The lures are specifically crafted to be a point of interest to the government employees. Once opened and executed, the files drop the ConnectWise Control payload to the victim’s device.

ScreenConnect and OneHub Abused for Cyber-Espionage

Threat actors increasingly rely on legitimate remote administration tools to enhance their lateral movement and reconnaissance capabilities. MuddyWater doesn’t stand aside from this trend, abusing ScreenConnect to spy on its victims and deliver malicious executables.

ScreenConnect (now acquired by ConnectWise Inc.) is fully functional remote support software that delivers remote viewing and control of devices from anywhere with an Internet connection. During the latest MuddyWater campaign, this tool was used to achieve persistence, move laterally across the compromised network, maintain communication with the attacker’s server, and execute arbitrary commands, facilitating data dumping and cyber-espionage activities. 

Another legitimate service abused during this campaign is OneHub cloud storage. MuddyWater increasingly misuses OneHub starting from Operation QuickSand, when attackers leveraged it to store the malicious payloads. Other threat actors were also spotted utilizing the cloud service for various malicious purposes. For example, OneHub was used in multiple malspam campaigns to host the malicious files.

Detecting Malicious Activity

To facilitate the proactive defense against MuddyWater attacks, you might download a fresh Sigma rule from our Threat Bounty developer Osman Demir:

https://tdm.socprime.com/tdm/info/XjR7cj7ALBDc/ufscp3cBR-lx4sDxS-vh/#rule-source-code

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black

MITRE ATT&CK: 

Tactics: Discovery 

Techniques: Query Registry (T1012), System Information Discovery (T1082)

Actor: MuddyWater

Stay tuned for more blog updates not to miss the latest detections related to MuddyWater activities. 

Sign up to Threat Detection Marketplace and reach the industry-leading SOC content library with 90,000+ Detection and Response rules. The content base enriches every day with the joint efforts of our international community of 300+ security performers. Want to become a part of our threat hunting initiatives? Join Threat Bounty Program!