Proofpoint researchers have recently observed new activity from the Iran-linked threat actor TA450. This threat actor is also known as MuddyWater, Mango Sandstorm and Static Kitten. The group uses a payments-related social engineering attack and targets Israeli employees at large multinational organizations. TA450 has been known to attack Israeli entities, especially since October 2023, when the war continued to flare up. The threat actor continues this trend with a focus on global manufacturing, technology, and information security companies.
Figure 1. Opened PDF attachment with malicious link.
In the phishing campaign, TA450 sent emails with PDF attachments containing malicious URLs from March 7 to March 11, 2024. While this method is not unfamiliar to TA450, the threat actor has lately been making more use of directly including malicious links in email messages rather than adding an extra step. Proofpoint researchers see the same targets receiving multiple phishing emails with PDF attachments that contain other links. The URLs lead to various file sharing sites such as Egnyte, OneHub, Sunc, and TeraBox. The emails also use a likely compromised .IL sender account. This is consistent with TA450’s recent activities.
Image 2. Zip file that leads to the download of remote administration software via Onehub.
When a target opens the attachment and clicks on the provided link, it leads to the download of a zip archive containing a compromised MSI. They ultimately install AteraAgent, a remote administration software. It is known that TA450 abuses this.
Tags: Investigation APT TA450 MuddyWater tactics targets Israeli employees
