Iranian Hackers Uses ScreenConnect Remote Access Tool to Target Government Agencies

Recently, the Anomali Threat Research team has detected a campaign that has been targeting only government offices located in the United Arab Emirates (UAE).

According to the report, UAE and Kuwait government companies are being targeted by the new threat actors of cyberespionage campaign that is likely taken out by Iranian threat actors.

After investigating the whole campaign the analyst of Anomali asserted that the main motive of this campaign is to install a remote management tool that is named as ScreenConnect.

This management tool has very unique launch parameters that have “custom sections,” along with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.


File names and delivery URLs found in this campaign

The delivery URLs that have been found in this campaign are mentioned below:-

  • ws.onehub[.]com/files/7w1372el
  • ws.onehub[.]com/files/94otjyvd

Here are the file names that have been found in this campaign:-

  • Review and study of the normalization of similarities between the Arab countries and Israel
  • Review and study of the normalization of relations among the Arab countries and Israel
  • Scholarships.exe
  • Project.docx

ScreenConnect and OneHub Context

According to the report, from 2016 to 2020, it has been seen that ScreenConnect and Onehub were used in malicious cyber action by several, unassociated threat actors.

The analyst illustrated that from 2016 to 2019 there were some unknown threat actors, that have targeted IT outsourcing firms, which include negotiating US-based Cognizant and India-based Wipro.

However, all these attacks have used ScreenConnect to connect to endpoints on customer networks, and these endpoints enable the threat actors to conduct further lateral movements and automatic actions on objectives.

First and Second Executable

In the first executable, whenever the user adjudicates to double click the executable that is the ScreenConnect payload, it drops the Microsoft installer file. 

This payload starts the installation process of the client onto victim machines. Whereas the threat actors endeavored to make the installation look legitimate, a closer examination of the client launch parameters exhibits the potential for broader MOFA targeting.

The second Executable has The ScreenConnect parameters that help the threat actors to make the payload look legitimate and reasonable to perform all its operation. 

However, all the URLs that were disseminated through these phishing emails right from the recipients to the dedicated file storage location on Onehub. There is a legitimate service known to be practiced by Static Kitten for nefarious purposes. 

But, the main goal of the attackers, is that it resembles the use of the software to connect to endpoints on client networks, and it directly allows them to conduct all the lateral movements and execute arbitrary commands in the target environment.







You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here