MuddyWater Crafts Email Compromises to Install Remote Access Software

A new wave of spear-phishing campaigns orchestrated by the cyber espionage group MuddyWater (aka. TA450, Static Kitten, Mercury/Mango Sandstorm, Earth Vetala, Seedworm) was discovered to be circulating between February 2024 and March 2024. The activity identified and monitored by Malwation's Threat Research Team has tracked the threat actor's cyber espionage activities since 2017, targeting a broad spectrum of sectors including energy, telecommunications, government, and defense primarily within the EMEA (Europe, the Middle East, and Africa) region. The group's activities are notably aligned with Iran's foreign policies. Their latest campaigns have targeted entities in Israel, Africa, and Turkiye, with the attackers leveraging emails to distribute remote access software. However, the extent of post-exploitation activities following the software installation remains unexplored.

Initiating their attacks through Business Email Compromise (BEC), MuddyWater employs a crafted attack chain that begins with the delivery of spear-phishing emails. These emails often contain malicious PDF attachments directing victims to third-party file upload services where compromised accounts are used to disseminate agents of remote administration management (RMM) software such as Atera and ConnectWise ScreenConnect. Once installed via MSI files, these agents afford attackers extensive control over victim devices, facilitating file upload, extraction, monitoring, and execution with elevated privileges.

MuddyWater's social engineering prowess is evident through the customization of their attack campaigns to minimize their digital footprint and evade detection. The group meticulously prepares mail templates and malicious files, tailoring them specifically to their targets by incorporating common names within the industry or directly using the target’s name, thereby enhancing the efficacy of their spear-phishing attacks.

A December 2023 report from Symantec reinforces MuddyWater's preference for targeting the telecommunications sector in African countries, utilizing tools like AnyDesk for remote access. This recurring theme of remote access software usage, including AnyDesk, underscores the importance of monitoring remote access tools.