Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new Syncro remote administration tool is causing all kinds of trouble. This text shares details about the phishing campaign, who MuddyWater is, the hacker group’s previous attacks, the latest changes, Syncro’s capabilities, how the attack campaign works, and how to protect against it.

There is a novel phishing campaign utilizing legitimate corporate accounts for phishing emails. MuddyWater, a hacking group associated with Iran’s MOIS (Ministry of Intelligence and Security), has been using compromised email accounts from genuine organizations for a large-scale phishing campaign that is paired with a remote administration tool.

The group has used similar tools in the past but has changed its tactics multiple times, coming to its most severe one. Here is everything you need to know about the MuddyWater phishing campaign and its RAT, Syncro.


Who is MuddyWater?

Also known as Boggy Serpens, Earth Vetala, Seedworm, and Cobalt Ulster, MuddyWater is a hacker group that primarily targets the Middle East and surrounding nations like India. The hacker group has been causing trouble since 2017, and its threat actors are known for their slowly evolving PowerShell-based backdoor that is continually incremented in its capability from time to time. The hacker group has also targeted the USA in the past, along with Central and West Asian countries.


MuddyWater’s Previous Attacks

MuddyWater has been conducting significant spear-phishing campaigns in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. These included:

  1. Phishing Emails: As Earth Vetala, the hacking group sent spear-phishing emails and lure documents. These documents and phishing emails contained URLs (Uniform Resource Locators) that led the victims to file-sharing services.
  2. Malicious URLs: These malicious URLs were linked to legitimate file-sharing services from where the threat actors distributed their RAT (Remote Administration Tool), Screen Connect.
  3. MuddyWater RAT: MuddyWater’s previous RAT, ScreenConnect, posed as a legitimate application for managing enterprise systems remotely for system administrators. ScreenConnect encompassed data encoding, email parsing, file and registry copy, HTTP/S (Hypertext Transfer Protocol Secure) connection support, native command line, and process and file execution capabilities.



However, researchers at Trend Micro identified multiple threat indicators and discovered that the threat actors were using post-exploration tools for password dumping. These passwords were tunneled to a threat actor-controlled C2 (Command and Control) server using open-source tools, and additional infrastructure on targeted systems was established for persistent presence. The threat actors could extract credentials from the following.

  •   Chrome
  •   Chromium
  •   Firefox
  •   Opera
  •   Internet Explorer
  •   Outlook


Furthermore, the PowerShell backdoor could:

  •   Analyze Skype connectivity
  •   Download and install Skype
  •   Encoded communication with its C2 server
  •   Execute commands sent from the C2 server
  •   Gather MFA (Multi-Factor Authentication) settings
  •   Gather the currently logged-on user and OS version


 MuddyWater’s Latest Phishing Campaign

The threat research team at Deep Instinct has been closely analyzing the cybercriminal group’s latest phishing campaign that has been targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.

  1. Phishing

The latest phishing activity was observed in October and is notable for the threat actors due to the usage of a new RAT named Syncro. Just like the previous one, the latest MuddyWater phishing campaign utilizes compromised legitimate corporate accounts.

However, these phishing emails contain a new lure in the form of an HTML (Hyper Text Markup Language). The threat actors have been posing as Egyptian hosting service providers and organizations, Israeli Healthcare, and more.

Since the HTML attachment is not an archive or executable, it does not raise any victim’s suspicions, as HTML is overlooked while preparing the workforce for phishing education and phishing awareness training.


  1. Syncro

Syncro is a highly sophisticated RAT that allows MuddyWater’s threat actors to take control of the victim’s devices remotely. However, MuddyWater is not the only threat actor utilizing this tool. Syncro has been observed in Luna Moth and BatLoader campaigns as well.

Syncro is a platform packed with features aimed at helping MSPs (Managed Service Providers) run their businesses. Syncro provides MSPs with an agent for device management that comes installed with a customized MSI file and a customer ID and also comes with a 21-day trial offer that allows you to choose the subdomain.

The trial version comes with a GUI (Graphical User Interface), allowing the actor complete control over any device via RAT, a terminal with SYSTEM privileges, remote desktop access, task and service managers, and more. With Syncro, threat actors can deploy multiple backdoors, exfiltrate data, and hand off access to other threat actors, making it a significant threat.



How does MuddyWater’s Phishing Campaign Work

The phishing campaign works in three key steps, which are:

  1. Targeted Emails: MuddyWater’s latest phishing campaign follows in the footsteps of its previous one, with threat actors practicing social engineering and sending malicious phishing emails to targeted individuals.
  1. Malicious Attachments: Once the victim is approached, the threat actors send a phishing link to a legitimate dropbox, an HTML file connected to the cloud server, or malicious attachments leading the victim to OneHub.
  1. ZIP Downloads: All these cloud servers or document dropboxes contain a malicious ZIP file that extracts an MSI Windows Installer that deploys Syncro on their machines.


How to Protect Against the MuddyWater Phishing Campaign?

Along with the analysis, Deep Instinct’s researchers also shared how it would be best for security teams, organizations, and individuals to monitor their machines for remote desktop solutions that are uncommon in the enterprise since they are abused more than their common counterparts.

Additionally, it would be best to provide the best phishing training to the workforce and executives alike. Here are a few ways you can ensure that your clients and the organizations are safe from phishing emails and social engineering:

  • SSL Certificates: Using an SSL (Secure Sockets Layer) certificate can allow organizations to secure all incoming and outgoing traffic, which means all information is protected from eavesdropping and cannot be used for social engineering.
  • Securely Hosted Payments: One of the best practices for 2023 and beyond is reducing risks to customer financial information by using payment gateways with the latest PCI DSS and ISO 27001 certifications. So even if your customers receive phishing emails targeted towards stealing their financial information, they are protected.
  • Adequate Staff Education: Educating employees is critical since they make or break any organization. Proper staff training, phishing awareness, practice simulations, and regular seminars sharing the latest revelations and phishing tactics enforce the idea in the workforce, making them better at identifying and steering clear phishing emails.


Final Words

The latest MuddyWater phishing campaign is novel, and the targeted organizations need to learn for phishing protection. Not just from the ongoing threat but from future ones. With various social engineering methods and malicious payload deployment, the latest MuddyWater phishing campaign will surely harm many more.


However, the first step in stopping any threat is knowing how it works and how it can damage you. With that covered, it would be best to follow the above guidelines to strengthen the organization against phishing attacks, and invest in automated tools and technologies and cyber insurance, to be prepared for the worst-case scenario since there are significant chances of any organization facing a cyberattack, especially phishing.