muddywater

Static Kitten New Malicious Activity

Overview

Anomali Threat discovered new malicious activities, attributed to the Iranian cyber espionage organization “Static Kitten” (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which mainly targets the Middle East. The new activities use the same as the previous ones. TTP with consistent “Static Kitten” activities. Based on the data in the malicious samples, we found samples disguised as the Kuwaiti government and the UAE National Assembly.

In mid-2020, the UAE and Israel began to normalize relations. Since then, as reported by many news reports, the situation in the region has escalated to a state of tension. The targeting of Kuwait may be related to many factors, including the public statement issued by the Kuwaiti Ministry of Foreign Affairs, They are willing to lead the mediation between Iran and Saudi Arabia. In addition, in October 2020, the trade figures for a peace agreement between Israel and the UAE include an estimate of the creation of 15,000 jobs and an estimated $2 billion in revenue for both parties. In December, it was reported that Static Kitten conducted “Operation Quicksand”, which targeted well-known Israeli organizations, including the use of OneHub file storage services.

Detail

Two decoy ZIP files used by Static Kitten to trick users into downloading files related to so-called reports or scholarships on the relationship between Arab countries and Israel. The URLs distributed by these emails redirect the recipients to the target location on Onehub, Onehub It is a known asset used by Static Kitte.

The purpose of Static Kitten is to direct users to a malicious URL through a email that mimics an EXE. The EXE appears to be a report on the relationship between Arab countries and Israel, but after execution it actually initiates the installation process of ScreenConnect.

The second sample used .docx file, which the user attempts to directed to a malicious URL, you will have the same name in the EXE .ZIP downloaded, the installation will start when executed ScreenConnect Infection chain as shown below.

 static kitten infection chain

Bait Document

Static Kitten distributes at least two malicious URLs that deliver two different ZIP files with topics related to government agency employees. These URLs are distributed through emails with decoys and decoy documents. Examples of decoys are as follows As shown in the figure.

 static kitten docx

The .docx file shown in the image above is directed to recipients of government agencies, while highlighting concerns about recent actions in Iran, the impact of the U.S. election, and government entities’ joint research on the relationship between Arab countries and Israel. Multiple officials are mentioned. Institutions, including the General Secretariat of the Cooperation Council of the Arab States of the Gulf and the UAE National Media Council, may be to increase legitimacy.

IOCs

149.202.216.53

https://ws.onehub.com/files/94otjyvd
https://ws.onehub.com/files/7w1372el
instance-sy9at2-relay.screenconnect.com
instance-uwct38-relay.screenconnect.com


31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1
c58370b4114d4d493e141a66cd1484573ccf02b5
707c251833db0fb7c17c79413ddaebcb54cdb0fc
f228e772a31b4fc160cb59cf5627224613f10941
116646a11967c1eed0e6072150b8d581bcf8d6a5
2cd569dafe4f537150f0416b021c30ab
e8e84ac1ae83a45c260df146e97cb1cb
a8fce1e8e89053e143b5431cfa5209cb
960594cbdf938bcb03bd0637843d9154
b9cff91be734e2a071d3b0fc07dc8386