
Iran-based threat actor MuddyWater aka MERCURY has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel.
A new advisory from Microsoft’s security researchers, MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
The campaign spotted by the MSTIC and Microsoft 365 Defender Research Team differs from previous MERCURY ones as it is the first one in which the group exploits SysAid apps as a vector for initial access.
Once after gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.
Microsoft also included a list of common techniques and tooling used by MERCURY, which include spearphishing, alongside programs such as the Venom proxy tool, the Ligolo reverse tunneling technique and home-grown PowerShell programs.
Microsoft confirmed it notified customers that have been targeted or compromised, providing them with the information needed to secure their accounts.
Indicators of Compromise
- hxxp://sygateway[.]com
- 91[.]121[.]240[.]104
- 164[.]132[.]237[.]64
- e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98
- 416e937fb467b7092b9f038c1f1ea5ca831dd19ed478cca444a656b5d9440bb4
- 25325dc4b8dcf3711e628d08854e97c49cfb904c08f6129ed1d432c6bfff576b
- 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
- 3137413d086b188cd25ad5c6906fbb396554f36b41d5cff5a2176c28dd29fb0a
- 87f317bbba0f50d033543e6ebab31665a74c206780798cef277781dfdd4c3f2f
- e4ca146095414dbe44d9ba2d702fd30d27214af5a0378351109d5f91bb69cdb6
- 3ca1778cd4c215f0f3bcfdd91186da116495f2d9c30ec22078eb4061ae4b5b1b
- bbfee9ef90814bf41e499d9608647a29d7451183e7fe25f472c56db9133f7e40
- b8206d45050df5f886afefa25f384bd517d5869ca37e08eba3500cda03bddfef