The Iran-affiliated state-backed threat actor tracked as MuddyWater (aka Mango Sandstorm, Seedworm or TA450) have been linked to a malware campaign involving a legitimate remote monitoring and management (RMM) tool called Atera Agent. The campaign has been ramping up since October 2023, aligning with the Hamas attack launched on southern Israel from the Gaza Strip.

MuddyWater has been employing RMM software as part of its cyber espionage campaigns since at least 2021, with a recent focus on Atera Agent. This tactic allows the group to evade detection and maintain operational security.

Since late October 2023, cybersecurity researchers at Harfanglab have observed a surge in MuddyWater's use of Atera Agent installation packages, continuing through to April 2024, with their spearphishing techniques and social engineering tactics becoming more advanced.

The sectors targeted by MuddyWater between October 2023 and April 2024 include airlines, IT companies, telecommunications, pharmaceuticals, automotive manufacturing, logistics, travel and tourism, employment/immigration agencies, and small businesses across Israel, India, Algeria, Turkey, Italy, and Egypt.

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers, creating Atera Agent accounts using compromised business and private email accounts.

The researchers believe that the group likely breached victim accounts through various means, including password spraying, exploiting password reuse, utilizing credentials from data breaches, or purchasing them on the dark web.

“There are indications of collaboration and hand-off of compromised targets between Iranian threat actors to conduct supply-chain attacks. This suggests that MuddyWater may not only actively compromise business email accounts themselves but also receive access to previously breached accounts from other affiliate groups,” according to the report.

In one instance, the threat actor has been observed using customer service software Zendesk as a distribution channel for malicious Atera Agent installers.

“Like other Atera Agent installers described in this report, this installer was packed in a ZIP archive. We suspect that the attacker uploaded the malicious archive during a chat session, likely posing as a visitor/customer, but possibly as an agent/support provider,” the researchers said.

The attackers appear to take advantage of the lack of malware scanning on attachments in standalone chat subscriptions to distribute their payloads.

“MuddyWater places a high priority on gaining access to business email accounts as part of their ongoing attack campaigns. These compromised accounts serve as valuable resource, enabling the group to enhance the credibility and effectiveness of their spear-phishing efforts, establish persistence within targeted organizations, and evade detection by blending in with legitimate network traffic,” the report notes. “Adding to that the use of RMM software (previously self-hosted, now in-cloud), as well as using various file hosting providers, makes this sort of activity challenging to detect and track.”