Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks

Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks

The Iran-affiliated threat actor tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera.

The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said.

“TA450 sent emails with PDF attachments that contained malicious links,” the enterprise security firm said. “While this method is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step.”

In the next stage, clicking on the link present within the PDF lure document leads to the retrieval of a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. MuddyWater’s use of Atera Agent dates back to July 2022.

The shift in MuddyWater’s tactics comes as an Iranian hacktivist group dubbed Lord Nemesis has targeted the Israeli academic sector by breaching a software services provider named Rashim Software in what’s case of a software supply chain attack.

It also sent email messages to over 200 of its customers on March 4, 2024, four months after the initial breach took place, detailing the extent of the incident. The exact method by which the threat actor gained access to Rashim’s systems was not disclosed.

“The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack),” security researcher Roy Golombick said. “This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a means to further their geo-political agendas.”

“By successfully compromising Rashim’s admin account, the Lord Nemesis group effectively circumvented the security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data.”