Threats Feed|Mango Sandstorm (Mercury)|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date25/08/2022

MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

Detected Targets


Extracted IOCs

  • sygateway[.]com
  • 25325dc4b8dcf3711e628d08854e97c49cfb904c08f6129ed1d432c6bfff576b
  • 3137413d086b188cd25ad5c6906fbb396554f36b41d5cff5a2176c28dd29fb0a
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
  • 3ca1778cd4c215f0f3bcfdd91186da116495f2d9c30ec22078eb4061ae4b5b1b
  • 416e937fb467b7092b9f038c1f1ea5ca831dd19ed478cca444a656b5d9440bb4
  • 87f317bbba0f50d033543e6ebab31665a74c206780798cef277781dfdd4c3f2f
  • b8206d45050df5f886afefa25f384bd517d5869ca37e08eba3500cda03bddfef
  • bbfee9ef90814bf41e499d9608647a29d7451183e7fe25f472c56db9133f7e40
  • d2e2a0033157ff02d3668ef5cc56cb68c5540b97a359818c67bd3e37691b38c6
  • e4ca146095414dbe44d9ba2d702fd30d27214af5a0378351109d5f91bb69cdb6
  • e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98
  • 164[.]132.237.64
  • 91[.]121.240.104
  • hxxp://sygateway[.]com

Tip: 15 related IOCs (2 IP, 1 domain, 1 URL, 0 email, 11 file hash) to this threat have been found.


MuddyWaterMuddyWater Upgrades: The Emergence of PhonyC2 Framework

Source: Deep Instinct - June 2023

Detection (one case): 91[.]121.240.104

MuddyWaterMuddyWater APT Uses Legitimate Remote Management Tool for Persistence

Source: Group-IB - April 2023

Detection (two cases): 164[.]132.237.64, 91[.]121.240.104

SeedwormSeedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections

Source: Symantec - October 2020

Detection (one case): 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.