Hacked corporate email accounts were used to send MSP remote accessibility tool

MuddyWater hackers were part of Iran’s Ministry of Intelligence and Security. They used compromised email accounts of corporations to send phishing messages.

This new strategy was adopted by the group in a campaign which may have begun in September, but was not observed until October. It also combined legitimate remote administration tools.

MSP tools can be used in different ways

MuddyWater used remote administration software for hacking in the past. In 2020 and 2021, researchers discovered that this group used RemoteUtilities as well ScreenConnect in their hacking campaigns.

In July they continued this campaign but changed to Atera. Simon Kenin , Deep Instinct’s security researcher, highlighted the switch.

Deep Instinct researchers spotted a MuddyWater campaign that utilized in October. This remote administration tool is designed for managed service providers, MSPs.

Kenin today reports that the first vector of infection is phishing from an email address that was legitimately used by the company. The hackers then compromised the account.

MuddyWater campaign overview

source: Deep Instinct

BleepingComputer was informed by the researcher that although the official signature for the company wasn’t in the phishing email, victims trusted it because it came from an actual address they recognize.

Two Egyptian hosting companies were among the victims of this attack. One breached their systems to send out spam emails. Another was the victim of the malicious message.

This is an established technique for building trust. Kenin, a researcher today, explains to the receiving party.

The attacker attaches an HTML file that contains the URL to the Syncro MSI installer in order to lower his chances of being detected by email security software.

Deep Instinct: “The attachment isn’t an archive nor an executable, which doesn’t raise suspicion from the end-user because HTML is usually overlooked in phishing awareness and simulations.”

This tool was stored on Microsoft’s OneDrive storage. The Syncro installer was previously stored on Dropbox by an earlier message from the Egyptian host company’s compromised email address.

The researcher claims that the majority of Syncro installers used to by MuddyWater are stored on OneHub’s cloud storage. This is a service MuddyWater used previously for hacking operations.

Other threat actors have used Syncro, such as or . A trial version of the tool is available for 21 days. It includes the full web interface, and allows you to control any Syncro agent-infected computer.

The attackers will be able to use the backdoors once they have gained access to the targeted system to steal and maintain persistence.

Multiple Israeli insurance companies were also targeted in the MuddyWater campaign. He used the same technique and sent the emails via a compromised email account to an Israeli entity involved in Israeli hospitality.

The hackers created an HTML attachment with a link that took them to Syncro’s OneDrive installation.

MuddyWater phishing email targeting insurance companies in Israel

source: Deep Instinct

Kenin points out that even though the email was in Hebrew, it could be recognized by a native speaker as the bad choice of words.

Although MuddyWater’s hacking tactics may not be very sophisticated, they demonstrate that there are many tools available to help you in your hacking endeavors.

This actor can be tracked using different names such as Static Kitten or Cobalt Ulster and Mercury. He has been actively involved since at least 2017.

It engages in spying operations targeting both private and public organizations in Asia, Europe and North America.