While a state-sponsored hacking group, called Static Kitten (also known as Seedworm, MERCURY or MuddyWater) which is believed to be working at the behest of Iran's primary intelligence and military service, Islamic Republic Guard Corps, is behind attacks on UAE and Kuwait government agencies in a new cyberespionage campaign.
According to Anomali Threat Research, this cyberespionage campaign uses tactics, techniques, and procedures (TTPs) that has been consistent with Static Kitten activity, with ConnectWise Control parameters designed to target the Ministry of Foreign Affairs (MOFA) of Kuwait with mfa[.]gov as part of the custom field.
How the attacks on UAE and Kuwait Government Agencies were tied to Static Kitten?
In October 2020, Static Kitten reportedly conducted Operation Quicksand, which was targeted at prominent Israeli organizations, including the use of file-storage service OneHub. In the current campaign, Anomali discovered samples specifically masquerading as the UAE National Council and Kuwaiti government respectively, based on references in the malicious samples.
The lure ZIP files discovered as being used by Static Kitten was designed to trick users into downloading a report purportedly on relations between Arab countries and Israel, or scholarships. And the URLs distributed with these phishing emails direct recipients to the file storage location on Onehub, a service known to be previously used by Static Kitten.
Anomali Threat Research also identified that Static Kitten has continued to use OneHub to host files containing ScreenConnect.
The Rise of Utilizing legitimate software for malicious purposes
Static Kitten has been using features of ScreenConnect to steal sensitive information or download malware for cyberespionage operations. And the use of legitimate software for malicious purposes is on the rise, which can be an effective method for threat actors to obfuscate their operations.
In this latest campaign, Static Kitten is focused on cyberespionage, and very likely data-theft is the primary objective behind the propagating of ScreenConnect.
No comments