By Gagandeep Singh
09-Dec-2022
Muddy Waters, a hacker group linked with the Ministry of Intelligence & security of Iran, used the compromised corporate emails for sending phishing messages to their targets.
A security firm, Deep Instintics, said that the campaign was spotted in October using the same tactics and used Legitimate remote tools.
in the 2020-21 campaigns, the group relied on ScreenConnect & Remote Utilities. (Remote remote administration tools).
Muddy waters used the same tactics but switched to Atera Agent! (Simon Kenin discovered the use of an Atera agent)
In a campaign in October, Muddy Water used Syncro. The hacker used HMTL.file to attach a link to download Syncro Installer.
The initial phishing emails were indeed sent from legitimate corporate email accounts that got compromised, & the Syncro installer was stored in Dropbox.
The company signatures were not on the phishing emails that the hacker group sent, but the target still trusted the email as a legitimate email as it came from an authentic address of the company.
Muddy Waters' methods are not modern. Yet the freely available software/tools can be an effective way for hacking practices.