Researchers at cybersecurity firm Anomaly uncovered a new cyber-espionage campaign that utilizes the ScreenConnect remote management tool to spy on government agencies in the United Arab Emirates (UAE).
The treat actor behind these attacks appears to be the Iran-linked hacker group tracked by security researchers as Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, and MuddyWater). This group has been active since at least 2017 and is known for its past attacks against Middle Eastern nations.
“The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties,” Anomaly researchers wrote. “Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).”
The malware samples observed in this campaign were delivered via phishing emails containing ZIP files designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The downloader URLs provided in the decoy documents embedded in the emails directed users to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for malicious purposes. A file containing ScreenConnect was also hosted on Onehub, the researchers said.
The ZIP files contained an EXE file that, when executed, started the installation process for ScreenConnect (ConnectWise Control), a self-hosted remote desktop software application that allows to perform remote support, gain remote access and run remote meetings.
“Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations. In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyberespionage, it is very likely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees,” the researchers said.