Threats Feed|Mango Sandstorm (Mercury)|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date25/08/2022

MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

Reference and Credit: Microsoft - August 2022

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

Detected Targets

TypeDescriptionConfidence
RegionIsrael
Verified

Extracted IOCs

  • sygateway[.]com
  • 25325dc4b8dcf3711e628d08854e97c49cfb904c08f6129ed1d432c6bfff576b
  • 3137413d086b188cd25ad5c6906fbb396554f36b41d5cff5a2176c28dd29fb0a
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
  • 3ca1778cd4c215f0f3bcfdd91186da116495f2d9c30ec22078eb4061ae4b5b1b
  • 416e937fb467b7092b9f038c1f1ea5ca831dd19ed478cca444a656b5d9440bb4
  • 87f317bbba0f50d033543e6ebab31665a74c206780798cef277781dfdd4c3f2f
  • b8206d45050df5f886afefa25f384bd517d5869ca37e08eba3500cda03bddfef
  • bbfee9ef90814bf41e499d9608647a29d7451183e7fe25f472c56db9133f7e40
  • d2e2a0033157ff02d3668ef5cc56cb68c5540b97a359818c67bd3e37691b38c6
  • e4ca146095414dbe44d9ba2d702fd30d27214af5a0378351109d5f91bb69cdb6
  • e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98
  • 164[.]132.237.64
  • 91[.]121.240.104
  • hxxp://sygateway[.]com
download

Tip: 15 related IOCs (2 IP, 1 domain, 1 URL, 0 email, 11 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Upgrades: The Emergence of PhonyC2 Framework

Source: Deep Instinct - June 2023

Detection (one case): 91[.]121.240.104

MuddyWaterMuddyWater APT Uses Legitimate Remote Management Tool for Persistence

Source: Group-IB - April 2023

Detection (two cases): 164[.]132.237.64, 91[.]121.240.104

SeedwormSeedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections

Source: Symantec - October 2020

Detection (one case): 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Mango Sandstorm
View Mango Sandstorm's Insights