The well-known Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro, a new analysis from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater, active since at least 2017, is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Some of the top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. "MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices," Nikita Rostovtsev, senior threat analyst at Group-IB, said. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the official website and use it in their attacks." The exact distribution method used to drop the SimpleHelp samples is currently unclear, although the group is known to send spear-phishing messages bearing malicious links from already compromised corporate mailboxes. Group-IB's findings were corroborated by Slovak cybersecurity firm ESET earlier this January, detailing MuddyWater's attacks in Egypt and Saudi Arabia that entailed the use of SimpleHelp to deploy its Ligolo reverse tunneling tool and a credential harvester dubbed MKL64. This news is alarming for a few reasons. Firstly, MuddyWater has been a well-known and active threat actor for a few years now. They have been known to target many countries in the Middle East as well as the United States. Secondly, they have been using legitimate tools to carry out their attacks. This means that they are able to bypass many security measures that are in place. The good news is that Group-IB and ESET have both been able to detect and thwart these attacks. However, it is important to be aware of the threat that MuddyWater poses and to be vigilant in protecting your systems.
top of page
bottom of page