KUWAIT CITY, Feb 13, (Agencies): Anomali, a cyber security company headquartered in the United States of America (USA), has conducted a research revealing that Iranian hackers are eyeing government institutions in Kuwait and the United Arab Emirates (UAE) in a possible cyber espionage campaign. A report published on the website of The Hacker News quoted the researchers at Anomali as saying that the brain behind the campaign is Static Kitten, also known as Mercury or MuddyWater.
The attack includes the installation of a remote management tool called ‘ScreenConnect’, which was acquired by ConnectWise in 2015. “The tool has unique launch parameters with custom properties, along with malware samples and URLs masquerading as Kuwait’s Ministry of Foreign Affairs and the National Council in the UAE,” the researchers disclosed. Previous reports stated that Static Kitten started in 2017 and it is behind several attacks against countries in the Middle East.
It actively exploits Zerologon vulnerability in real-world attack campaigns to strike prominent Israeli organizations with malicious payloads. The Iranian Republican Guard allegedly commanded the State-sponsored hacking group to carry out the campaign, the Hacker News report added.
Anomali discovered two separate lure ZIP files hosted on Onehub that claimed to contain a report on relations between Arab countries and Israel or a file relating to scholarships. The researchers explained that “the URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.
Static Kitten is continuing to use Onehub to host a file containing ScreenConnect.” According to the researchers, “the attack is launched by guiding users to a downloader URL pointing to these ZIP files via a phishing email that, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary.
The URLs themselves are distributed through decoy documents embedded in the emails. ConnectWise Control (formerly called ScreenConnect) is a self-hosted remote desktop software application with support for unattended access and conducting meetings with screensharing features.” It has been discovered as well that the ultimate goal of the hackers is to utilize the software to connect to endpoints on client networks, enabling them to conduct further lateral movements and execute arbitrary commands in target environments in a bid to facilitate data theft. “Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations.
In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations,” the researchers added.