Unmasking MuddyWater's Multiple RMM Software Attacks
Essential information
- Published
- 24/09/2024 13:20
- Modified
- 24/09/2024 14:10
- Tags
- 2024-09-24 darkbeatc2 muddyc2go phonyc2 powermud
- Related entities
- 49 observables, 1 intrusion sets (apt), 19 techniques (mitre), 4 malware, 5 others
Description
MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools.