The MuddyWater hacking group, an actor associated with Iran’s Ministry of Intelligence and Security, has been detected using compromised corporate email accounts to deliver their latest phishing campaign. This campaign started in September and was first observed by security researchers in October when it was used to drop a legitimate remote access tool known as Syncro, which was delivered in the form of an MSI Installer.
To deploy this remote access tool, the threat actor used legitimate corporate email accounts, such as that of an Egyptian hosting company, to disguise their emails as coming from a legitimate vendor – a known technique to build trust. The actor then attached an HTML file that contained a link to the Syncro MSI installer. The tool was hosted on a variety of services such as OneDrive, DropBox, and OneHub.
Syncro has been seen used by other threat actors as well such as BatLoader and LunaMoth. The tool comes with a free version that is valid for 21 days and provides full access. While this specific campaign was seen targeting entities in Egypt and Israel, the actor typically engages in espionage operations that target both public and private organizations in the Middle East, Asia, Europe, North America, and Africa.
MuddyWater has been seen using sophisticated techniques to compromise organizations in the past. However, in this campaign, they are using a freely available tool and relatively unsophisticated tactics. This campaign demonstrates the rise of phishing and the use of legitimate remote access tools to compromise organizations, which is relying primarily on the human behind the screen being vulnerable. To protect against attacks such as this, organizations should actively employ an email monitoring solution as well as monitoring for popular, unapproved remote access software in their environment. Additionally, organizations should provide phishing training to their employees so they can better identify any malicious emails that may receive, even when coming from a legitimate vendor email.