Hackers Spyed with ConnectWise

UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors.

Attributing the operation to be the work of Static Kitten, The “objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties,” with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.

MuddyWater has been tied to a number of attacks primarily against Middle Eastern nations, actively exploiting Zerologon vulnerability in real-world attack campaigns to strike prominent Israeli organizations with malicious payloads.

Researchers spotted two separate lure ZIP files hosted on Onehub that claimed to contain a report on relations between Arab countries and Israel or a file relating to scholarships.

“The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes,” the researchers noted.

The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email that, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.

The ultimate goal of the attackers, is to use the software to connect to endpoints on client networks, enabling them to conduct further lateral movements and execute arbitrary commands in target environments in a bid to facilitate data theft.

Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations,” the researchers concluded.