12 February 2021

Iran-linked hackers target UAE government agencies using ScreenConnect


Iran-linked hackers target UAE government agencies using ScreenConnect

Researchers at cybersecurity firm Anomaly uncovered a new cyber-espionage campaign that utilizes the ScreenConnect remote management tool to spy on government agencies in the United Arab Emirates (UAE).

The treat actor behind these attacks appears to be the Iran-linked hacker group tracked by security researchers as Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, and MuddyWater). This group has been active since at least 2017 and is known for its past attacks against Middle Eastern nations.

“The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties,” Anomaly researchers wrote. “Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).”

The malware samples observed in this campaign were delivered via phishing emails containing ZIP files designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The downloader URLs provided in the decoy documents embedded in the emails directed users to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for malicious purposes. A file containing ScreenConnect was also hosted on Onehub, the researchers said.

The ZIP files contained an EXE file that, when executed, started the installation process for ScreenConnect (ConnectWise Control), a self-hosted remote desktop software application that allows to perform remote support, gain remote access and run remote meetings.

“Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations. In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyberespionage, it is very likely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees,” the researchers said.


Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021