Friday, December 1, 2023

Iranian Hackers Uses ScreenConnect Remote Access Tool to Target Government Agencies

Recently, the Anomali Threat Research team has detected a campaign that has been targeting only government offices located in the United Arab Emirates (UAE).

According to the report, UAE and Kuwait government companies are being targeted by the new threat actors of cyberespionage campaign that is likely taken out by Iranian threat actors.

After investigating the whole campaign the analyst of Anomali asserted that the main motive of this campaign is to install a remote management tool that is named as ScreenConnect.

This management tool has very unique launch parameters that have “custom sections,” along with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.

File names and delivery URLs found in this campaign

The delivery URLs that have been found in this campaign are mentioned below:-

  • ws.onehub[.]com/files/7w1372el
  • ws.onehub[.]com/files/94otjyvd

Here are the file names that have been found in this campaign:-

  • Review and study of the normalization of similarities between the Arab countries and Israel
  • Review and study of the normalization of relations among the Arab countries and Israel
  • Scholarships.exe
  • Project.docx

ScreenConnect and OneHub Context

According to the report, from 2016 to 2020, it has been seen that ScreenConnect and Onehub were used in malicious cyber action by several, unassociated threat actors.

The analyst illustrated that from 2016 to 2019 there were some unknown threat actors, that have targeted IT outsourcing firms, which include negotiating US-based Cognizant and India-based Wipro.

However, all these attacks have used ScreenConnect to connect to endpoints on customer networks, and these endpoints enable the threat actors to conduct further lateral movements and automatic actions on objectives.

First and Second Executable

In the first executable, whenever the user adjudicates to double click the executable that is the ScreenConnect payload, it drops the Microsoft installer file. 

This payload starts the installation process of the client onto victim machines. Whereas the threat actors endeavored to make the installation look legitimate, a closer examination of the client launch parameters exhibits the potential for broader MOFA targeting.

The second Executable has The ScreenConnect parameters that help the threat actors to make the payload look legitimate and reasonable to perform all its operation. 

However, all the URLs that were disseminated through these phishing emails right from the recipients to the dedicated file storage location on Onehub. There is a legitimate service known to be practiced by Static Kitten for nefarious purposes. 

But, the main goal of the attackers, is that it resembles the use of the software to connect to endpoints on client networks, and it directly allows them to conduct all the lateral movements and execute arbitrary commands in the target environment.







You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles