Threat actors exploiting cloud services are keeping me very busy in these final days of this troubled 2022. The main character of this Cloud Threats Memo is MuddyWater (also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros), one of the most prolific cyber espionage groups, active since at least 2017, and believed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).
Researchers at Deep Instinct’s Threat Research team have identified a new campaign by this group targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates, and characterized by a new arsenal of adversary tactics, techniques, and procedures (TTPs) including (but I bet you already know it) the abuse of two legitimate well-know cloud services.
This campaign was observed in the beginning of October and possibly started in September. Similar to other operations by the same threat actor, the initial attack vector is a spear phishing email, however what makes this campaign different from the previous ones is the use of a new remote administration tool named “Syncro.” delivered in two different ways: through a direct link embedded into the email pointing to a Dropbox link hosting the Syncro installer, or an HTML attachment (a simple way to evade most email security solutions) containing a link to OneDrive pointing, once again, to the Syncro installer.
This is yet another example of legitimate cloud services being exploited by state-sponsored threat actors. What seemed to be an exception just a few months ago, is now becoming the norm with more and more cloud apps joining the club. In fact, if O