The Iran-linked MuddyWater threat actor has been observed targeting several countries in the Middle East as well as Central and West Asia as part of a new spear-phishing activity.
“The campaign has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates,” Deep Instinct researcher Simon Kenin said in a technical write-up.
MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static Kitten, and TEMP.Zagros, is said to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).
Active since at least 2017, attacks mounted by the espionage group have typically targeted telecommunications, government, defense, and oil sectors.
The current intrusion set follows MuddyWater’s long-running modus operandi of using phishing lures that contain direct Dropbox links or document attachments with an embedded URL pointing to a ZIP archive file.
It’s worth mentioning here that the messages are sent from already compromised corporate email accounts, which are being offered for sale on the darknet by webmail shops like Xleet, Odin, Xmina, and Lufix anywhere between $8 to $25 per account.
While the archive files have previously harbored installers for legitimate tools like ScreenConnect and RemoteUtilities, the actor was observed switching to Atera Agent in July 2022 in a bid to fly under the radar.
But in a further sign that the campaign is being actively maintained and updated, the attack tactics have been tweaked yet again to deliver a different remote administration tool named Syncro.
The integrated MSP software offers a way to completely control a machine, allowing the adversary to conduct reconnaissance, deploy additional backdoors, and even sell access to other actors.
“A threat actor that has access to a corporate machine via such capabilities has nearly limitless options,” Kenin noted.
The findings come as Deep Instinct also uncovered new malware components employed by a Lebanon-based group tracked as Polonium in its attacks aimed exclusively at Israeli entities.
“Polonium is coordinating its operations with multiple tracked actor groups affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling,” Microsoft noted in June 2022.