Phishing Attacks Used Legitimate Emails to Gain Remote Admin Privileges

Image of a man typing on a laptop with notebook to his left and a mug to his right.
Phishing attacks are becoming increasingly common for businesses.
Source: Unsplash

Iranian cybercrime group, MuddyWater, used legitimate companies’ emails in phishing attacks, Deep Instinct reported in their recent blog, New MuddyWater Threat: Old Kitten; New Tricks. The attackers tried to install malicious remote administration software on recipients’ systems by sending spam links as HTML attachments—a tactic to evade email security solutions. 

Since 2017, the group has targeted private and government organizations in various sectors across Europe, North America, the Middle East, Asia, and Africa. But the group switches modus operandi for each attack to hide its signature. 

However, all their activities center around phishing attacks. They use email and remote administration tools to scam businesses and people. This time, MuddyWater used Syncro—a remote administration tool for Managed Service Providers (MSPs). But in their previous operations, they relied on RemoteUtilities and ScreenConnect. 

Sending Spam as HTML Attachments to Evade Detection

Image shows a phishing email luring the recipient to open an HTML attachment that's shown enclosed in a red rectangle.
Always play it safe with company email attachments, and never open something you aren’t certain about.
Source: Deep Instinct

Spam links sent as HTML attachments are dangerous for two reasons. First, companies often overlook HTML attachments in their phishing awareness training because they aren’t archived or executable files. And second, though email filtering and scanning solutions can detect spam HTML attachments, blocking requires additional security checks. Few companies normally take these extra steps. Knowing this, MuddyWater chose to send the spam links as HTML attachments instead of in the email body, as is the practice in typical phishing attacks. 

Researching MuddyWater’s phishing attacks, investigators have found OneDrive archives containing Syncro MSI installers as destinations of the HTML links. MuddyWater cybercriminals used the same tactic to spam contacts in the insurance space from the email address of a trusted Israeli company in hospitality. And on another occasion, they used a legitimate Egyptian hosting company’s address to email another Egyptian hosting company. In doing so, they were banking on unsuspecting employees clicking on the attachments, trusting the mail’s apparent source.

No matter how elaborate the setup, all phishing scams rely on the recipient inside a network to click on a link that downloads or runs an executable file. Investigators don’t yet know whether MuddyWater has access to only one email account or the whole email server of the companies whose addresses it used. 

The image shows code from the Syncro remote admin software, highlighting key variables against a black screen.
Syncro is remote administration application. Unfortunately, this tool is available to everybody, including cybercriminals, for a free trial.
Source: Deep Instinct

So, what happens when a user clicks on the Syncro installer link? Cybercriminals get remote access to the machine. Syncro is a favorite among cybercriminals for remote machine control. Plus, it even offers a free 21-day trial. “Syncro provides an agent for MSPs to manage any device that has Syncro installed with the custom-made provided MSI file that includes the customerID,” the Deep Instinct blog read. 

With its GUI, Syncro allows cybercriminals to control computers once recipients unknowingly install the remote file. It doesn’t stop there, though. It also gives cybercriminals SYSTEM privileges, remote desktop access, full file system access, tasks, and services manager. These privileges allow cybercriminals to inflict serious damage on users and businesses. As the report states, a threat actor with remote access via Syncro has near-limitless options, as seen in BatLoader and LunaMoth operations. 

LunaMoth used Syncro to steal corporate data and then demanded ransom. On the other hand, Batloader mimicked search engine results for professional applications like Zoom, TeamViewer, and Microsoft Visual Studio. Using ​​a traffic direction system (TDS), attackers got users to click on malicious applications in the results. Once clicked, the link executed a legitimate Windows DLL with a malicious VBScript to change Microsoft Defender settings. 

Staying Safe from Phishing Attacks

Image shows a schema that outlines MuddyWater's phishing scam  on a white background.
Phishing scams are simple in theory and execution. But they continue to harm legitimate businesses and are growing in size and sophistication.
Source: Deep Instinct

The business email compromise (BEC) remains an efficient way for cybercriminals to take down networks. Cybercriminals exploit employees’ lack of knowledge about scams. Managers and owners can send employees updates on cybersecurity trends and practices to ensure they remain informed. 

To limit their vulnerability, companies can invest in employee awareness. Additionally, they must set up preventive measures, including:

  • Ensuring all emails are encrypted 
  • Turning on advanced spam filtering and malware detection 
  • Using an email toolkit with anti-phishing technology 
  • Preventing network users from installing any unverified executable file
  • Blocking employees from accessing third-party email applications
  • Ensuring employees have 2FA for their daily email sign-in
  • Encouraging employees to set up a strong password for their email
  • Archiving and deleting emails within appropriate timeframes 
  • Ensuring employees change their passwords regularly
  • Enforcing and updating a strong email security policy 

These measures will reduce spam, which will save companies from phishing operations. Besides, reducing spam also increases employee productivity and improves server load. 

Free Tools Are a Boon for Cybercriminals

MuddyWater compromised company email accounts using legitimate, free tools and services like Syncro and OneDrive. It did this by taking pains to build a credible facade, knowing that the more real their spam emails appeared, the more likely the email recipient was to open links or attachments. 

Yet, their attacks failed because poor word choice in the email’s body raised suspicion. Usually, glaring grammatical errors are a giveaway of spam content—even if the source’s email address appears legitimate. 

Nonetheless, what’s most alarming is the ease with which threat actors executed these attacks. Success would have put them in control of the company or government-owned machines. 

The room for error is small in these cases. And it only takes one negligent employee or executive to open a spam link to let in bad actors. For cybercriminals, it doesn’t matter if they have remote access to one machine or several. All that matters to them is getting in. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top