MuddyWater APT hackers update TTPs to target organizations across Asia, Middle East countries, Deep Instinct reports

The threat research team at Deep Instinct identified a new campaign of the MuddyWater APT (advanced persistent threat) group that has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates. The campaign exhibits updated TTPs to previously reported MuddyWater activity.

“The most recent MuddyWater campaign was observed by Deep Instinct in the beginning of October and possibly started in the September timeframe,” Simon Kenin, Deep Instinct’s threat intelligence researcher, wrote in a company blog post. “What makes this campaign different from previous waves is the use of a new remote administration tool named ‘Syncro.’”

A new lure in the form of an HTML attachment was observed, along with the addition of other providers for hosting the archives containing the installers of the remote administration tool, according to Kenin. “The previous July sample with ScreenConnect mentioned earlier was named ‘promotion.msi.’ In the current campaign, there was a sample that had few names; one of them was also ‘promotion.msi,’ he added.

Kenin said that the above ScreenConnect sample was communicating with ‘instance-q927ui-relay.screenconnect.com,’ while this instance was communicating with another MuddyWater MSI installer named ‘Ertiqa.msi’ which is a name of a Saudi organization. “In the current wave, MuddyWater used the same name ‘Ertiqa.msi,’ but with Syncro installer. The target geolocations and sectors also align with previous targets of MuddyWater. Combined these indicators provide us with enough proof to confirm that this is the MuddyWater threat group,” he added.

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.

Earlier research showed that in 2020 MuddyWater sent spearphishing emails with direct links as well as PDF and RTF attachments containing links to archives hosted at ‘ws.onehub.com.’ Those archives contained the installer for ‘RemoteUtilities,’ a legitimate remote administration tool.

“Since the beginning of 2021, MuddyWater has been observed sending spearphishing emails containing either direct links or Word documents with links to archives hosted at ‘ws.onehub.com,’” Kenin wrote. “The archives from 2021 contained installers for ScreenConnect, another legitimate remote administration tool. This activity was observed intermittently through the end of 2021 and until July 2022.”

In July 2022, a potential file related to the campaign was observed, but it contained Atera Agent instead of the usual ScreenConnect, potentially signaling the threat actor switched to another remote administration tool to avoid detection of their long-running campaign, according to Kenin.

In the case of an Egyptian Hosting Company, Kenin displayed direct links to Dropbox. “This mail was sent from an Egyptian data hosting company, unlike previous campaigns using OneHub. This time MuddyWater used Dropbox to host the archive with the Syncro installer.” 

“On the same date the email with the Dropbox link was sent, MuddyWater sent another email from the same address of an Egyptian hosting company to another Egyptian hosting company,” Kenin explained. Instead of embedding a direct link in the email message, an HTML attachment was sent. This is a well-known technique to build trust. The receiving end knows the company that sent the mail. The attachment is not an archive or an executable which doesn’t raise end-user suspicion because HTML is mostly overlooked in phishing awareness training and simulations, he added.

HTML is considered ‘safer,’ at least from an anti-virus (AV) and email security solutions point of view. Although those solutions can scan HTML, they are often still delivered to the recipients and not blocked. The HTML itself is very small – its main function is most likely to bypass email solutions that replace any link with the ‘safe’ link. Though the link inside the HTML file leads to OneDrive this time, hosting an archive containing a Syncro MSI installer, Kenin added.

In another example from early November, MuddyWater sent an email from a company in the Israeli hospitality industry to several contacts across different Israeli insurance companies, Kenin said. “In this mail, the company from the hospitality industry is looking for insurance. The text is written in Hebrew, but a native speaker will find it suspicious due to a poor choice of words. Once again, the link leads to an archive hosted on OneDrive which contains Syncro MSI installer.”

Despite those new TTPs, most of the Syncro installers are still hosted in OneHub, Kenin added. “What is unclear is whether or not MuddyWater gained full access to the email server or only the credentials to one email box. The emails are sent from legitimate corporate accounts. We see that in spite of the low level of sophistication that this tactic can be effective.”

Kenin pointed out that MuddyWater is not the only hacker group abusing Syncro. “It has also been observed recently in BatLoader and Luna Moth campaigns. Syncro is a fully-featured platform for Managed Service Providers (MSPs) to run their business. Syncro provides an agent for MSPs to manage any device that has Syncro installed with the custom-made provided MSI file that includes the customerID. Syncro has a 21-day trial offer. You choose the subdomain to be used by your MSP,” he added.

While investigating some of the installers that MuddyWater used, “we see that for each unique mail a new MSI was used. In most cases, MuddyWater used a single subdomain with a single MSI installer,” the Deep Instinct data revealed. It seems that most of the subdomains don’t have any useful meaning, although a few are clear. These include ‘mohammadosman6060’ and ‘osmandembele4040’ who are football players; ‘netanyahu8585’ and ‘benet5050’ who are the current and former prime ministers of Israel, and Cham Wings, the name of a Syrian airline. 

The trial version contains the fully featured web GUI that allows complete control over a computer with the Syncro agent installed, Kenin said. “Those features are standard for remote administration tools, such as terminal with SYSTEM privileges, remote desktop access, full file system access, tasks, and services manager. All those features combined with a signed MSI installer create the perfect weapon for a threat actor to gain initial access and start performing recon on the target.” 

Later, they enable the threat actors to deploy additional backdoors, exfiltrate files, or hand off access to other threat actors, according to the Deep Instinct post. “A threat actor that has access to a corporate machine via such capabilities has nearly limitless options,” it added.

Deep Instinct recommended that security teams monitor for remote desktop solutions that are not common in the organization, as they have a higher chance of being abused.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.