Friend
Professional
- Messages
- 2,659
- Reaction score
- 867
- Points
- 113
Virtuoso disguise leaves companies no chance to detect attacks.
Security researchers from the 360 Advanced Threat Research Institute recently discovered that the Iranian hacker group MuddyWater is actively using legitimate remote monitoring and control (RMM) software in its attacks. This group has been active since 2017, mainly attacking organizations in the Middle East, as well as in Europe and North America. Their attacks focus on government agencies, the military, telecommunications and oil companies.
Experts have found that since 2020, MuddyWater has been using various RMM programs to penetrate target systems. These programs include Remote Utilities, ScreenConnect, SimpleHelp, Syncro, N-Able, and Atera Agent. Hackers use these programs to take full control of victims' computers by executing commands, uploading and downloading files.
One key tactic is phishing, in which attackers send emails with attachments disguised as legitimate documents, often in Arabic. For example, they use password-protected RAR archives to distribute the Atera Agent program. After entering the password and installing the malware, Atera is anchored in the victim's system. Thus, attackers gain full control over the device, while remaining undetected.
Another commonly used MuddyWater program is ScreenConnect. Hackers disguise it as an archive with an Arabic document, after which the program is launched and allows attackers to remotely control the infected computer. A similar scenario applies with other programs, such as Remote Utilities and N-Able, where infection occurs through PDF documents and phishing links.
Specialists pay special attention to the use of Syncro software. This program is different in that it can be distributed through HTML files, which are less visible to antivirus software. MuddyWater also uses legitimate file lockers like Dropbox to bypass security systems and avoid detection.
Studies show that the group's attacks continue into 2024. MuddyWater expands its capabilities by adding new tools, making it harder to detect and counter. Experts emphasize that this method of attacks using legitimate software poses a serious threat to organizations and users, especially in cases where phishing is successful.
Experts from the 360 Advanced Threat Research Institute urge organizations to raise awareness of such threats and urge them to refrain from opening unknown files and links in emails. It is also important to regularly update security systems and train employees in the basics of cyber hygiene to avoid data breaches and other serious consequences.
Source
Security researchers from the 360 Advanced Threat Research Institute recently discovered that the Iranian hacker group MuddyWater is actively using legitimate remote monitoring and control (RMM) software in its attacks. This group has been active since 2017, mainly attacking organizations in the Middle East, as well as in Europe and North America. Their attacks focus on government agencies, the military, telecommunications and oil companies.
Experts have found that since 2020, MuddyWater has been using various RMM programs to penetrate target systems. These programs include Remote Utilities, ScreenConnect, SimpleHelp, Syncro, N-Able, and Atera Agent. Hackers use these programs to take full control of victims' computers by executing commands, uploading and downloading files.
One key tactic is phishing, in which attackers send emails with attachments disguised as legitimate documents, often in Arabic. For example, they use password-protected RAR archives to distribute the Atera Agent program. After entering the password and installing the malware, Atera is anchored in the victim's system. Thus, attackers gain full control over the device, while remaining undetected.
Another commonly used MuddyWater program is ScreenConnect. Hackers disguise it as an archive with an Arabic document, after which the program is launched and allows attackers to remotely control the infected computer. A similar scenario applies with other programs, such as Remote Utilities and N-Able, where infection occurs through PDF documents and phishing links.
Specialists pay special attention to the use of Syncro software. This program is different in that it can be distributed through HTML files, which are less visible to antivirus software. MuddyWater also uses legitimate file lockers like Dropbox to bypass security systems and avoid detection.
Studies show that the group's attacks continue into 2024. MuddyWater expands its capabilities by adding new tools, making it harder to detect and counter. Experts emphasize that this method of attacks using legitimate software poses a serious threat to organizations and users, especially in cases where phishing is successful.
Experts from the 360 Advanced Threat Research Institute urge organizations to raise awareness of such threats and urge them to refrain from opening unknown files and links in emails. It is also important to regularly update security systems and train employees in the basics of cyber hygiene to avoid data breaches and other serious consequences.
Source
