The Iranian APT MuddyWater is targeting multiple Arabic-speaking countries. The APT exploits 2 lures: a report on relations between Arab countries and Israel, or a file on scholarships. These two lure ZIP files are being used by the threat actor to trick users into downloading malware. URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub. The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email. This, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.
The campaign was detected targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. The campaign is linked to the Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand. The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).