Mercury APT aka MuddyWater, a group sponsored by the Iranian regime, is abusing the Log4Shell vulnerability in SysAid applications. It attempts to gain initial access to the targeted organizations.
Researchers from Microsoft reported that the Mercury group is abusing a flaw in vulnerable SysAid apps used by Israeli organizations.
- The group uses Log4j 2 exploits against VMware apps earlier in 2022 and now abused a similar flaw in SysAid apps.
- The attackers have used different techniques to communicate with their C2 server, such as PowerShell.
- Further, a tunneling tool vpnui.exe (unique version of Ligolo) and remote monitoring software eHorus were used in attacks.