Rewterz Threat Alert – MuddyWater Campaign Using ScreenConnect RAT

Severity

High

Analysis Summary

The Iranian APT MuddyWater is targeting multiple Arabic-speaking countries. The APT exploits 2 lures: a report on relations between Arab countries and Israel, or a file on scholarships. These two lure ZIP files are being used by the threat actor to trick users into downloading malware. URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub. The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email. This, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.

The campaign was detected targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. The campaign is linked to the Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand. The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).

Impact

• Unauthorized Remote Access
• Data Exfiltration

Indicators of Compromise

Domain Name

• instance-uwct38-relay[.]screenconnect[.]com
• instance-sy9at2-relay[.]screenconnect[.]com

MD5

• 2cd569dafe4f537150f0416b021c30ab
• e8e84ac1ae83a45c260df146e97cb1cb
• a8fce1e8e89053e143b5431cfa5209cb
• b9cff91be734e2a071d3b0fc07dc8386
• 960594cbdf938bcb03bd0637843d9154

SHA-256

• 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
• 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
• 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
• 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
• b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf

SHA1

• 3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1
• c58370b4114d4d493e141a66cd1484573ccf02b5
• 707c251833db0fb7c17c79413ddaebcb54cdb0fc
• 116646a11967c1eed0e6072150b8d581bcf8d6a5
• f228e772a31b4fc160cb59cf5627224613f10941

URL

• https[:]//ws[.]onehub[.]com/files/7w1372el
• https[:]//ws[.]onehub[.]com/files/94otjyvd
• https[:]//ws[.]onehub[.]com/files/mz8ok6gf
• https[:]//ws[.]onehub[.]com/files/wrz117le
• https[:]//ws[.]onehub[.]com/files/2b2nwhmh

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Do not click on URLs given in untrusted emails.