MuddyWater is back with new techniques

Threat Level

Actor Report

For a detailed threat advisory, download the pdf file here

Summary

MuddyWater used Dropbox links and document attachments with URLs redirected to ZIP archives as lures in its campaign, which also utilized compromised corporate email accounts. In addition to using Remote Utilities and ScreenConnect installers in their archive files, attackers have also switched to Atera Agent. Recent updates to the campaign have enabled the delivery of the Syncro remote administration tool, which could provide attackers with total machine control, enabling reconnaissance, additional backdoor delivery, and sale of access. With such capabilities, a threat actor has nearly unlimited options for accessing corporate machines.