MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Vulnerability Exploitation,Backdoor,Malware
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.
Tip: 15 related IOCs (2 IP, 1 domain, 1 URL, 0 email, 11 file hash) to this threat have been found.
Source: Deep Instinct - June 2023
Detection (one case): 91[.]121.240.104
Source: Group-IB - April 2023
Detection (two cases): 164[.]132.237.64, 91[.]121.240.104
Source: Symantec - October 2020
Detection (one case): 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.