MuddyWater (also known as TA450), a notorious cyberespionage group affiliated with Iran, employs new sophisticated tactics to target Israeli individuals within multinational corporations.
Based on reports, the group has resorted to deceptive tactics, exploiting financial incentives and salary-related emails to deceive unsuspecting Israeli employees.
This campaign that started earlier this month has allowed the group to orchestrate various social engineering lures. Unlike previous strategies, the group opted for a more direct approach, attaching malicious links directly within the body of emails rather than relying on attachments.
These emails allegedly originated from compromised.IL sender accounts and targeted personnel across different sectors, such as global manufacturing, technology, and information security.
MuddyWater baited its victims with PDF attachments that carry the malicious links.
The MuddyWater modus operandi involved enticing victims with seemingly innocuous PDF attachments concealing malicious links, redirecting them to file-sharing platforms like Egnyte, Onehub, Sync, and TeraBox.
Once the victims click the link, they unknowingly download a ZIP archive containing a compressed MSI file. Subsequently, this file will deploy a remote administration tool called AteraAgent.
Further analysis identified MuddyWater’s exploitation of compromised email accounts within midsized financial services companies. These campaigns directed victims to cloud hosting providers like Onehub, where they unwittingly downloaded ZIP archives consisting of legitimate installer executable files for remote administration tools.
This campaign shows the group’s adoption of new tactics, displaying their versatility to counteract new defence strategies from targeted countries. While their previous operation predominantly relied on attachment-based lures, this incident exhibited the group’s arrival in deploying malicious URLs within PDFs.
Furthermore, after attributing this campaign to TA450, researchers cited a comprehensive analysis of the group’s tactics, techniques, and procedures alongside obvious targeting patterns and malware signatures.
Notably, the MuddyWater group’s association with Iran’s Ministry of Intelligence and Security features their resources in executing cyberespionage campaigns against opposing countries. Hence, they can run cyberattacks in various countries, including North America, Europe, and Asia.
Experts suggest the targeted countries should be more cautious in opening attachments since this cyberespionage group has started employing phishing tactics in their campaigns. Therefore, companies should advise their employees to refrain from clicking unsolicited or sketchy emails to avoid such threats.
