Mar 25, 2024NewsroomCyber Espionage / Email Security

The Iran-affiliated threat actor tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera.

The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said.

“TA450 sent emails with PDF attachments that contained malicious links,” the enterprise security firm said. “While this method is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step.”

MuddyWater has been attributed to attacks directed against Israeli organizations since late October 2023, with prior findings from Deep Instinct uncovering the threat actor’s use of another remote administration tool from N-able.

This is not the first time the adversary – assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) – has come under the spotlight for its reliance on legitimate remote desktop software to meet its strategic goals. It has also been observed utilizing ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

The latest attack chains involve MuddyWater embedding links to files hosted on file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. Some of the pay-themed phishing messages are said to have been sent from a likely compromised email account associated with the “co.il” (Israel) domain.

In the next stage, clicking on the link present within the PDF lure document leads to the retrieval of a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. MuddyWater’s use of Atera Agent dates back to July 2022.

The shift in MuddyWater’s tactics comes as an Iranian hacktivist group dubbed Lord Nemesis has targeted the Israeli academic sector by breaching a software services provider named Rashim Software in what’s case of a software supply chain attack.

“Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the company’s clients, including numerous academic institutes,” Op Innovate said. “The group claims to have obtained sensitive information during the breach, which they may use for further attacks or to exert pressure on the affected organizations.”

Lord Nemesis is believed to have used the unauthorized access it gained to Rashim’s infrastructure by hijacking the admin account and leveraging the company’s inadequate multi-factor authentication (MFA) protections to harvest personal data of interest.

It also sent email messages to over 200 of its customers on March 4, 2024, four months after the initial breach took place, detailing the extent of the incident. The exact method by which the threat actor gained access to Rashim’s systems was not disclosed.

“The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack),” security researcher Roy Golombick said. “This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a means to further their geo-political agendas.”

“By successfully compromising Rashim’s admin account, the Lord Nemesis group effectively circumvented the security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data.”

The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter.

The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files.

“The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset,” the enterprise security firm said.

TA866 was first documented by the company in February 2023, attributing it to a campaign named Screentime that distributed WasabiSeed, a Visual Basic script dropper that’s used to download Screenshotter, which is capable of taking screenshots of the victim’s desktop at regular intervals of time and exfiltrating that data to an actor-controlled domain.

There is evidence to suggest that the organized actor may be financially motivated owing to the fact that Screenshotter acts as a recon tool to identify high-value targets for post-exploitation, and deploy an AutoHotKey (AHK)-based bot to ultimately drop the Rhadamanthys information stealer.

Subsequent findings from Slovak cybersecurity firm ESET in June 2023 unearthed overlaps between Screentime and another intrusion set dubbed Asylum Ambuscade, a crimeware group active since at least 2020 that also engages in cyber espionage operations.

The latest attack chain remains virtually unchanged save for the switch from macro-enabled Publisher attachments to PDFs bearing a rogue OneDrive link, with the campaign relying on a spam service provided by TA571 to distribute the booby-trapped PDFs.

“TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety of malware for their cybercriminal customers,” Proofpoint researcher Axel F said.

This includes AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (aka Qbot), and DarkGate, the last of which allows attackers to perform various commands such as information theft, cryptocurrency mining, and execution of arbitrary programs.

Splunk, which detected multiple campaigns deploying a loader designed to initiate DarkGate on compromised endpoints, said malicious PDF files act as a carrier for an MSI installer that executes a cabinet (CAB) archive to trigger the execution of DarkGate via AutoIT loader script.

“Darkgate first appeared in 2017 and is sold only to a small number of attack groups in the form of Malware-as-a-Service through underground forums,” South Korean cybersecurity company S2W said in an analysis of the malware this week.

“DarkGate continues to update it by adding features and fixing bugs based on analysis results from security researchers and vendors,” highlighting continued efforts made by adversaries to implement anti-analysis techniques to bypass detection.

News of TA866’s resurgence comes as Cofense revealed that shipping-related phishing emails primarily single out the manufacturing sector to propagate malware like Agent Tesla and Formbook.

“Shipping-themed emails increase during the holiday seasons, albeit only slightly,” Cofense security researcher Nathaniel Raymond said.

“For the most part, the yearly trends suggest that these emails follow a particular trend throughout the year with varying degrees of volumes, with the most significant volumes being in June, October, and November.”

The development also follows the discovery of a novel evasion tactic that leverages the caching mechanism of security products to get around them by incorporating a Call To Action (CTA) URL that points to a trusted website in the phishing message sent to the targeted individual.

“Their strategy involves caching a seemingly benign version of the attack vector and subsequently altering it to deliver a malicious payload,” Trellix said, stating such attacks have disproportionately targeted financial services, manufacturing, retail, and insurance verticals in Italy, the U.S., France, Australia, and India.

When such a URL gets scanned by the security engine, it’s marked as safe, and the verdict is stored in its cache for a set time. This also means that if the URL is encountered again within that time period, the URL is not reprocessed, and instead, the cached result is served.

Trellix pointed out that attackers are taking advantage of this quirk by waiting until the security vendors process the CTA URL and cache their verdict, and then altering the link to redirect to the intended phishing page.

“With the verdict being benign, the email smoothly lands in the victim’s inbox,” security researchers Sushant Kumar Arya, Daksh Kapur, and Rohan Shah said. “Now, should the unsuspecting recipient decide to open the email and click on the link/button within the CTA URL, they would be redirected to the malicious page.”

Dec 14, 2023NewsroomMalware / Cyber Espionage

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel.

The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k).

“These lightweight downloaders […] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API,” security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News.

By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group’s attack infrastructure.

Some of the targets of the campaign include an organization in the healthcare sector, a manufacturing company, and a local governmental organization, among others. All the victims are said to have been previously targeted by the threat actor.

The exact initial access vector used to compromise the targets is currently unclear and it’s not known if the attackers managed to retain their foothold in the networks so as to deploy these downloaders at various points of time in 2022.

OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that’s known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East.

This year alone, the hacking crew has been observed leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.

ODAgent, first detected in February 2022, is a C#/.NET downloader that utilizes Microsoft OneDrive API for command-and-control (C2) communications, allowing the threat actor to download and execute payloads, and exfiltrate staged files.

SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.

OilBooster, in the same way as ODAgent, uses Microsoft OneDrive API for C2, whereas OilCheck adopts the same technique as SampleCheck5000 to extract commands embedded in draft messages. But instead of using the EWS API, it leverages Microsoft Graph API for network communications.

OilBooster is also similar to OilCheck in that it employs the Microsoft Graph API to connect to a Microsoft Office 365 account. What’s different this time around is that the API is used to interact with an actor-controlled OneDrive account as opposed to an Outlook account in order to fetch commands and payloads from victim-specific folders.

These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using email-based C2 protocols to exfiltrate data, although in the case of the latter, the victimized organization’s Exchange Server is used to send messages to the attacker’s email account.

“In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims,” the researchers explained.

“The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.”