Iran-linked threat actor tracked as muddy water (also known as Mango Sandstorm or TA450) has been associated with a new phishing campaign occurring in March 2024 that purports to offer a legitimate remote monitoring and management (RMM) solution called Atera.
Proofpoint said the campaign, which lasted the week of March 7 to March 11, targeted Israeli entities across the global manufacturing, technology and information security sectors.
“TA450 sends emails with PDF attachments containing malicious links,” the enterprise security firm said. “While this approach is not new to TA450, threat actors have recently relied on including malicious links directly in the body of emails rather than adding this extra step.”
MuddyWater is believed to be the result of attacks targeting Israeli organizations since late October 2023, and Deep Instinct’s previous findings revealed that the threat actor used another remote management tool from N-able.
This is not the first time the adversary – assessed to be part of Iran’s Ministry of Intelligence and Security (MOIS) – has come under scrutiny for its reliance on legitimate remote desktop software to achieve its strategic goals. Also observed using ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
The latest attack chain involves MuddyWater embedding links to files hosted on file sharing sites such as Egnyte, Onehub, Sync and TeraBox. Some of the pay-themed phishing emails were allegedly sent from potentially compromised email accounts associated with the “co.il” (Israel) domain.
In the next stage, clicking on the link in the PDF bait file will lead to the retrieval of a ZIP archive containing the MSI installer file, which will ultimately install the Atera Agent on the infected system. MuddyWater’s use of Atera Agent dates back to July 2022.
The shift in MuddyWater’s strategy comes as an Iranian hacker group called Lord Nemesis launched a software supply chain attack targeting Israeli academic circles and attacked a software service provider called Rashim Software.
“Lord Nemesis allegedly used credentials obtained from the Rashim breach to infiltrate multiple of the company’s customers, including numerous academic institutions,” Op Innovate said. “The group claims to have obtained sensitive information during the breach that they may have exploited This information enables further attacks or pressure on affected organizations.”
Lord Nemesis is believed to have gained unauthorized access to Rashim’s infrastructure by hijacking administrator accounts and exploiting the company’s inadequate multi-factor authentication (MFA) protection to obtain personal data of interest.
The company also sent an email to more than 200 customers on March 4, 2024, four months after the initial breach, detailing the extent of the incident. The exact method used by the threat actors to access Rashim’s systems has not yet been revealed.
“This incident highlights the significant risks posed by third-party vendors and partners (supply chain attacks),” said security researcher Roy Golombick. “This attack highlights the growing threat from nation-state actors who operate on a smaller scale , and companies with limited resources as a means to advance their geopolitical agenda.”
“By successfully compromising Rashim’s administrative account, the Lord Nemesis group effectively circumvented the security measures implemented by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data.”
