IB company Proofpoint discovered a new phishing campaign conducted by the Iranian group Muddywater. The campaign targeted Israeli organizations in the fields of global production, technology, and information security, distributing legitimate software for remote monitoring and management of ATERA.
The attack, which occurred between March 7 and March 11, involved posting files on file hosting services such as Egnyte, Onehub, Sync, and Terabox. Phishing messages related to payment of accounts or salary information were sent from hacked accounts associated with the Israeli domain “Co.il”.
When users clicked on the link in the embedded PDF document, they unknowingly downloaded a ZIP archive containing an MSI-installer that installed ATERA AGENT on the compromised system. The Muddywater group began using ATERA AGENT back in July 2022.
This discovery marks a shift in Muddywater’s tactics, as the group typically used malicious links directly in emails. Proofpoint researchers noted that although using malicious links in PDF attachments is not new, it is the first time they observed Muddywater employing this method.
Researchers at Proofpoint identified the Muddywater campaign based on well-known techniques, tactics, and procedures (TTPs), campaign targeting, and malicious analysis. In 2022, the US Clinical Economy linked the group to the Iranian Department of Intelligence and Security.