Iranian Hackers Uses ScreenConnect Remote Access Tool to Target Government Agencies

Recently, the Anomali Threat Research team has detected a campaign that has been targeting only government offices located in the United Arab Emirates (UAE).

According to the report, UAE and Kuwait government companies are being targeted by the new threat actors of cyberespionage campaign that is likely taken out by Iranian threat actors.

After investigating the whole campaign the analyst of Anomali asserted that the main motive of this campaign is to install a remote management tool that is named as ScreenConnect.

This management tool has very unique launch parameters that have “custom sections,” along with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.

File names and delivery URLs found in this campaign

The delivery URLs that have been found in this campaign are mentioned below:-

  • ws.onehub[.]com/files/7w1372el
  • ws.onehub[.]com/files/94otjyvd

Here are the file names that have been found in this campaign:-

  • Review and study of the normalization of similarities between the Arab countries and Israel httpsmod.gov.kw.zip
  • Review and study of the normalization of relations among the Arab countries and Israel httpsmod.gov.kw.exe
  • Scholarships.zip
  • Scholarships.exe
  • Project.docx

ScreenConnect and OneHub Context

According to the report, from 2016 to 2020, it has been seen that ScreenConnect and Onehub were used in malicious cyber action by several, unassociated threat actors.

The analyst illustrated that from 2016 to 2019 there were some unknown threat actors, that have targeted IT outsourcing firms, which include negotiating US-based Cognizant and India-based Wipro.

However, all these attacks have used ScreenConnect to connect to endpoints on customer networks, and these endpoints enable the threat actors to conduct further lateral movements and automatic actions on objectives.

First and Second Executable

In the first executable, whenever the user adjudicates to double click the executable httpsmod.gov.kw.exe that is the ScreenConnect payload, it drops the Microsoft installer file. 

This payload starts the installation process of the client onto victim machines. Whereas the threat actors endeavored to make the installation look legitimate, a closer examination of the client launch parameters exhibits the potential for broader MOFA targeting.

The second Executable has The ScreenConnect parameters that help the threat actors to make the payload look legitimate and reasonable to perform all its operation. 

However, all the URLs that were disseminated through these phishing emails right from the recipients to the dedicated file storage location on Onehub. There is a legitimate service known to be practiced by Static Kitten for nefarious purposes. 

But, the main goal of the attackers, is that it resembles the use of the software to connect to endpoints on client networks, and it directly allows them to conduct all the lateral movements and execute arbitrary commands in the target environment.

IOCs

Docx
31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535

EXE
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b

IP
149.202.216.53

URL
https://ws.onehub.com/files/94otjyvd
https://ws.onehub.com/files/7w1372el
instance-sy9at2-relay.screenconnect.com
instance-uwct38-relay.screenconnect.com

ZIP
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Leave a Reply