The MuddyWater cyber espionage campaign has recently adopted novel strategies to deploy malware, employing legitimate remote administration tools instead of traditional spearphishing techniques. This campaign, previously reliant on spearphishing emails containing attachments and links hosted on ws[.]onehub[.]com, has now transitioned to utilizing Word documents with connections to archives and incorporating the Atera Agent in place of ScreenConnect. Additionally, the campaign has introduced a new remote management tool called Syncro, which caters to Managed Service Providers (MSPs) and offers an agent for device management. Notably, the threat actors behind MuddyWater have installed additional hosts for the remote administration tool archives and have employed HTML attachments as lures, leveraging Dropbox as the hosting platform for the Syncro installation archive. By leveraging legitimate tools, MuddyWater’s adversaries are able to establish initial access and conduct reconnaissance on their targets. Consequently, the monitoring of remote desktop solutions and exercising caution when encountering uncommon tools that may be exploited is critically important.
Key Takeaways
- MuddyWater campaign tactics include spearphishing emails with direct links and attachments, archives hosted on ws[.]onehub[.]com, and the use of the RemoteUtilities installer.
- In 2021, MuddyWater switched to using Word documents with connections to archives and introduced the Atera Agent and Syncro remote management tool.
- Syncro is a platform for Managed Service Providers (MSPs) that provides an agent for managing devices with Syncro installed.
- MuddyWater’s strategy includes the installation of additional hosts for remote administration tool archives, the use of HTML attachments as enticements, and the hosting of Syncro installation archives on Dropbox and OneDrive.
MuddyWater Campaign Tactics
The MuddyWater campaign employs spearphishing techniques, utilizing spearphishing emails that contain direct links and attachments. These emails often lead to archives that are hosted at ws[.]onehub[.]com. The archives themselves include the Installer for RemoteUtilities, which is a remote administration tool. Additionally, the campaign has made use of Dropbox as a host for malware. This involves sending emails from an Egyptian data hosting company that contain a direct link to a Dropbox location. The Dropbox location hosts an archive that contains the installation files for a remote management tool called Syncro. By utilizing these tactics, MuddyWater is able to deceive users into downloading and executing malicious files, allowing them to gain initial access to their targets and conduct further reconnaissance. It is important for companies to be aware of these tactics and to monitor remote desktop solutions to prevent such attacks.
Changes in the Campaign
During 2021, the MuddyWater campaign underwent changes in its tactics. These changes included the introduction of new enticements and an increased use of Word documents. Instead of using direct links and attachments in spearphishing emails, MuddyWater began using Word documents that were connected to archives. Additionally, the campaign started including the Atera Agent, a remote administration tool, instead of the previously used ScreenConnect. Another significant change was the introduction of Syncro, a new remote management tool designed for Managed Service Providers (MSPs). These changes in tactics show that MuddyWater is continuously evolving and adapting its methods to increase its effectiveness. The use of new enticements and the increased use of Word documents demonstrate the campaign’s efforts to bypass security measures and successfully deliver malware to its targets.
Syncro Remote Management Tool
The Syncro remote management tool is a platform designed for Managed Service Providers (MSPs) and offers an agent to efficiently manage devices with Syncro installed. It provides a custom-made MSI file for installation, allowing MSPs to easily deploy and manage devices remotely. Syncro offers various features and benefits for MSPs, including remote monitoring and management, ticketing system integration, asset tracking, patch management, and automation capabilities. Compared to other remote management tools, Syncro stands out with its user-friendly interface, robust functionality, and focus on the specific needs of MSPs. It provides a comprehensive solution for MSPs to efficiently handle device management, troubleshooting, and support tasks. By utilizing Syncro, MSPs can streamline their operations, improve efficiency, and enhance their service delivery to clients.
Frequently Asked Questions
How does the MuddyWater campaign deliver malware to its targets?
MuddyWater’s delivery methods involve spearphishing emails with direct links and attachments, using legitimate remote administration tools such as RemoteUtilities, Atera Agent, and Syncro. These techniques allow them to evade detection and gain initial access to their targets.
What are the changes in the MuddyWater campaign in 2021?
In 2021, the MuddyWater campaign made several changes. They started using Word documents with connections to archives and introduced the Atera Agent and Syncro remote management tool. These changes impacted targeted organizations by providing new avenues for malware deployment and reconnaissance.
What is the purpose of Syncro remote management tool?
The purpose of the Syncro remote management tool, used in the MuddyWater campaign, is to provide Managed Service Providers (MSPs) with an agent for managing devices. It allows for remote administration and the installation of custom-made MSI files.
How is the Syncro agent installed on devices?
The Syncro agent is stealthily installed on devices through the use of custom-made MSI files. This installation method bypasses device security measures and enables the agent to be installed without detection or interference.
What are the additional hosts and enticements introduced in the MuddyWater campaign?
The new tactics in the MuddyWater campaign involve the introduction of additional hosts and enticements. These include the installation of remote administration tool archives on Dropbox, the use of HTML attachments to direct users to OneDrive, and the inclusion of HTML attachments in emails. These baiting techniques are aimed at luring victims into downloading and installing the malware.
