A new research found out that the Iranian threat actors are targeting the government agencies of the UAE and Kuwait as a part of their new cyberespionage operation, utilizing ScreenConnect being distributed via phishing emails.
The ScreenConnect is a remote desktop software application, which is now known as ConnectWise Control, that supports unattended access and arranging gatherings or meetings with features like screen-sharing.
The campaign was identified by Anomali, a threat intelligence platform, who in a blog post said, “We assess that Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.”
They also linked this cyberespionage campaign to the MuddyWater, which is a nation-backed hacking group, also known as Static Kitten, Seedworm, MERCURY, Temp.Zagros, POWERSTATS, and NTSTATS. The research explained that “the objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties.”
MuddyWater first emerged in 2017 and since then it has been linked to several attacks, especially with the attacks that occur on Middle Eastern countries. This nation-backed/state-sponsored hacking group is considered to be operating under the instructions/commands of Iran’s Islamic Republic Guard Corps, which is Iran’s major military and intelligence service and is constantly and dynamically exploiting Zerologon vulnerability in real-world attack operations performed against well-known organizations/institutions of Israel with malevolent payloads.
The research by Anomali revealed that it had discovered two different ZIP files that were hosted on Onehub, which claimed to involve a document with details about the association of Israel with Arab countries, or a different document including details about scholarships.
The attack was executed by sending phishing emails to users that redirect them to a download URL regarding these detailed documents. These documents when downloaded and opened, initiates the process of installing ScreenConnect and further utilizes it to communicate with the operators of the campaign. The URLs regarding the downloading of these documents, distributed themselves using the decoy documents that were attached in emails.
The researchers said, “we identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes. Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect.”
It seems that the overall purpose behind this cyber-espionage campaign is to associate with the endpoints over the targeted client’s network, which would allow them to run malicious commands and execute lateral movements with the hope of stealing valuable data.
The researchers concluded by briefing that, “utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations. In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyber-espionage, it is very likely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees.”