The MuddyWater hacking group, an actor associated with Iran’s Ministry of Intelligence and Security, has been detected using compromised corporate email accounts to deliver their latest phishing campaign. This campaign started in September and was first observed by security researchers in October when it was used to drop a legitimate remote access tool known as Syncro, which was delivered in the form of an MSI Installer.
To deploy this remote access tool, the threat actor used legitimate corporate email accounts, such as that of an Egyptian hosting company, to disguise their emails as coming from a legitimate vendor – a known technique to build trust. The actor then attached an HTML file that contained a link to the Syncro MSI installer. The tool was hosted on a variety of services such as OneDrive, DropBox, and OneHub.
Syncro has been seen used by other threat actors as well such as BatLoader and LunaMoth. The tool comes with a free version that is valid for 21 days and provides full access. While this specific campaign was seen targeting entities in Egypt and Israel, the actor typically engages in espionage operations that target both public and private organizations in the Middle East, Asia, Europe, North America, and Africa.