Iran-affiliated threat actor tracked as Muddy water (also known as Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate remote monitoring and management (RMM) solution called Atera.
The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning the global manufacturing, technology and cybersecurity sectors, Proofpoint said.
“TA450 sent emails with PDF attachments that contained malicious links,” the enterprise security firm said. “While this method is no stranger to TA450, the threat actor has recently relied on embedding malicious links directly into the body of email messages instead of adding this additional step.”
MuddyWater has been attributed to attacks directed against Israeli organizations since late October 2023, with previous Deep Instinct findings uncovering the threat actor’s use of another N-able remote administration tool.
This is not the first time the adversary, believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has come under the spotlight for its reliance on legitimate remote desktop software to achieve its strategic objectives. The use of ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp was also observed.
The latest attack chains involve MuddyWater embedding links to files hosted on file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. Some of the paid phishing messages are said to have been sent from a possibly compromised email account associated with the “co.il” domain (Israel).
In the next step, clicking on the link present within the PDF decoy document takes you to the recovery of a ZIP archive containing an MSI installation file that ultimately installs the Atera Agent on the compromised system. MuddyWater’s use of Atera Agent dates back to July 2022.
The change in MuddyWater’s tactics comes as a group of Iranian hacktivists nicknamed Lord Nemesis targeted Israel’s academic sector by hacking a software service provider called Rashim Software in a case of a software supply chain attack.
“Lord Nemesis allegedly used credentials obtained from the Rashim breach to infiltrate several of the company’s clients, including numerous academic institutions,” Op Innovate said. “The group claims to have obtained sensitive information during the breach, which it could use for further attacks or to put pressure on affected organizations.”
Lord Nemesis is believed to have used unauthorized access gained to Rashim’s infrastructure by hijacking the administrator account and exploiting the company’s inadequate multi-factor authentication (MFA) protections to collect personal data of interest.
It also sent email messages to more than 200 of its customers on March 4, 2024, four months after the initial breach, detailing the scope of the incident. The exact method by which the threat actor gained access to Rashim’s systems was not revealed.
“The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack),” security researcher Roy Golombick said. “This attack highlights the growing threat of state actors targeting smaller, resource-limited companies as a means of furthering their geopolitical agendas.”
“By successfully compromising Rashim’s administrator account, the Lord Nemesis group effectively bypassed security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data.”