Thursday, March 28, 2024

Iranian Hackers Uses ScreenConnect Remote Access Tool to Target Government Agencies

Recently, the Anomali Threat Research team has detected a campaign that has been targeting only government offices located in the United Arab Emirates (UAE).

According to the report, UAE and Kuwait government companies are being targeted by the new threat actors of cyberespionage campaign that is likely taken out by Iranian threat actors.

After investigating the whole campaign the analyst of Anomali asserted that the main motive of this campaign is to install a remote management tool that is named as ScreenConnect.

This management tool has very unique launch parameters that have “custom sections,” along with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.

File names and delivery URLs found in this campaign

The delivery URLs that have been found in this campaign are mentioned below:-

  • ws.onehub[.]com/files/7w1372el
  • ws.onehub[.]com/files/94otjyvd

Here are the file names that have been found in this campaign:-

  • Review and study of the normalization of similarities between the Arab countries and Israel httpsmod.gov.kw.zip
  • Review and study of the normalization of relations among the Arab countries and Israel httpsmod.gov.kw.exe
  • Scholarships.zip
  • Scholarships.exe
  • Project.docx

ScreenConnect and OneHub Context

According to the report, from 2016 to 2020, it has been seen that ScreenConnect and Onehub were used in malicious cyber action by several, unassociated threat actors.

The analyst illustrated that from 2016 to 2019 there were some unknown threat actors, that have targeted IT outsourcing firms, which include negotiating US-based Cognizant and India-based Wipro.

However, all these attacks have used ScreenConnect to connect to endpoints on customer networks, and these endpoints enable the threat actors to conduct further lateral movements and automatic actions on objectives.

First and Second Executable

In the first executable, whenever the user adjudicates to double click the executable httpsmod.gov.kw.exe that is the ScreenConnect payload, it drops the Microsoft installer file. 

This payload starts the installation process of the client onto victim machines. Whereas the threat actors endeavored to make the installation look legitimate, a closer examination of the client launch parameters exhibits the potential for broader MOFA targeting.

The second Executable has The ScreenConnect parameters that help the threat actors to make the payload look legitimate and reasonable to perform all its operation. 

However, all the URLs that were disseminated through these phishing emails right from the recipients to the dedicated file storage location on Onehub. There is a legitimate service known to be practiced by Static Kitten for nefarious purposes. 

But, the main goal of the attackers, is that it resembles the use of the software to connect to endpoints on client networks, and it directly allows them to conduct all the lateral movements and execute arbitrary commands in the target environment.

IOCs

Docx
31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535

EXE
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b

IP
149.202.216.53

URL
https://ws.onehub.com/files/94otjyvd
https://ws.onehub.com/files/7w1372el
instance-sy9at2-relay.screenconnect.com
instance-uwct38-relay.screenconnect.com

ZIP
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles