Hackers recently used corporate emails to transmit an MSP remote administration tool (RAT) in a phishing operation. A RAT is a piece of software that gives a person full control of a device from a remote location. And according to experts, the infamous hacking outfit MuddyWater, a group connected with the Ministry of Intelligence and Security (MOIS) for Iran, utilised compromised enterprise email accounts to deliver these malicious phishing messages to its victims.

The threat group from Iran adopted this new tactic for its campaign, which may have started as far back as September 2022. However, it was not detected in the wild until around October 2022, when it combined the use of an authentic remote administration tool.

Swapping up MSP tools

This is not the first time that the MuddyWater hacking gang has used a legitimate remote administration tool for malicious activities. Cybersecurity researchers and threat analysts discovered campaigns from the group back in 2020 and again in 2021 that depended on solutions like ScreenConnect and RemoteUtilitie.

Another campaign that the gang undertook in July 2022 saw the hackers continue employing this tactic. But as underlined by security researcher Simon Kenin of Deep Instinct, they switched to using Atera instead.

Researchers at Deep Instinct discovered a new MuddyWater campaign in October 2022 that utilised Syncro, another remote administration tool that is expressly designed for use with managed service providers.

Targets acquired

In a recent report issued by Kenin, the researcher notes that the campaign’s initial infection vector is via phishing messages sent from a genuine corporate email account that has been compromised by hackers.

The researcher added that although the official company signature was missing from the phishing messages, targets still trusted the email as it originated from an authentic address belonging to a known company.

Among those targeted in the campaign are two different hosting companies based in Egypt. One of the firms was breached to transmit phishing emails, while the other was the chosen recipient of the malicious phishing message.

Commenting on the approach, Kenin explained:

“This is a known technique to build trust. The receiving end knows the company who sent the mail. The attachment is not an archive or an executable which doesn’t raise the end-user suspicion because HTML is mostly overlooked in phishing awareness trainings and simulations.”

To lower any chance of being detected by security software solutions, the threat operator attaches an HTML file that contains the link to download a Syncro MSI installer.

The tool is hosted on Microsoft OneDrive file storage. A message previously sent from the compromised account of the hosting company in Egypt hosting stored the Syncro installer using file sharing solution Dropbox.

However, the security researcher has commented that most Syncro installers employed by MuddyWater are hosted using OneHub’s cloud storage. This is a service that the threat operator has used many times in the past for its criminal campaigns.

Syncro has also been used by many other threat actors, including LunaMoth and BatLoader. The tool is available as a trial version that is valid for 21 days and ships with a complete web interface while delivering full control of any computer which has the Syncro agent fully installed.