In cybersecurity, threat actors always find new ways to infiltrate targeted systems. One such actor, MuddyWater, has been active since 2017 and is believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS). Recently, Group-IB discovered that MuddyWater has been using SimpleHelp remote support software to take control of victim devices.
This discovery is particularly concerning because SimpleHelp is a legitimate remote device control and management tool. MuddyWater could download the tool from the official website and use it for criminal activities without compromising it.
MuddyWater has a history of targeting countries such as Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. This threat actor is persistent and constantly adapting their tactics.
According to Senior Threat Analyst Nikita Rostovtsev at Group-IB, this recent discovery reinforces the importance of organizations being vigilant and taking proactive steps to secure their systems against evolving cyber threats. It’s critical to stay informed about the latest tactics being utilized by threat actors like MuddyWater.
MuddyWater, a threat actor believed to be linked to Iran’s Ministry of Intelligence and Security, has been using SimpleHelp as a legitimate remote device control and management tool to establish persistence on victim devices. While the exact distribution method of SimpleHelp samples is unclear, MuddyWater is known for employing spear-phishing techniques by sending malicious links from compromised corporate mailboxes. Organizations must proactively protect their systems against these increasingly sophisticated tactics by staying informed and implementing robust security measures.
Group-IB’s findings got support from Slovak cybersecurity firm ESET in January, which detailed MuddyWater’s attacks in Egypt and Saudi Arabia. They used SimpleHelp to deploy their Ligolo reverse tunnelling tool and a credential harvester called MKL64. The company also identified unknown infrastructure operated by the group, including a PowerShell script capable of receiving commands from a remote server.
Recently, Microsoft revealed how MuddyWater, a threat actor, has been conducting destructive attacks on hybrid environments disguised as a ransomware operations. This disclosure sheds light on the group’s continued use of legitimate remote administration tools and underscores the importance of increased awareness and proactive measures to counter such threats effectively.