News Iranian hackers use ScreenConnect tool for cyber espionage Purposes


Gap

Advanced
Joined
14.09.20
Messages
137
Reaction score
1,266
Points
93
The attackers ' goal is to use the ScreenConnect software to connect to endpoints on client networks.

UAE government departments have been targeted in a new cyber-espionage campaign allegedly orchestrated by Iranian hackers.

According to security researchers from Anomali, the Static Kitten group (also known as MERCURY or MuddyWater) is behind the cybercrime operation. The goal of the criminals is to install a remote control tool called ScreenConnect (now called ConnectWise Control) with unique startup options. The malicious executable files and URLs used in this campaign are disguised as resources of the Ministry of Foreign Affairs of Kuwait and the National Council of the UAE.

Experts found two ZIP files posted on Onehub, allegedly containing a report on relations between Arab countries and Israel or a document concerning scholarships. The attack begins by sending phishing emails with fake documents that contain URLs for downloading ZIP files. The ZIP archives contain EXE files disguised as reports and documents, which start the ScreenConnect installation process at startup.

"URLs distributed through phishing emails redirect recipients to a file storage location on the legitimate Onehub service, which was previously used by Static Kitten for malicious purposes. Static Kitten continues to use Onehub to host a file containing ScreenConnect, " the researchers noted.

Presumably, the ultimate goal of attackers is to use software to connect to endpoints in client networks, allowing them to move further across the network and execute arbitrary commands in target environments, making it easier to steal data.

ConnectWise Control is a standalone remote desktop application with automatic access and meeting support with screen sharing features.
 
Top Bottom