Anti-Phishing, DMARC , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian TA450 Group Tries Out New Tactics on Israelis

Proofpoint Researchers Say Beware of Phishing Emails, Embedded Links in PDFs
Iranian TA450 Group Tries Out New Tactics on Israelis
Image: Shutterstock

Iran-aligned threat actor TA450, also called MuddyWater, is using fake salary, compensation and financial incentive emails to trick Israeli employees at multinational organizations into clicking malicious links, according to researchers at security firm Proofpoint.

See Also: OnDemand Webinar | Third-Party Risk, ChatGPT & Deepfakes: Defending Against Today's Threats

TA450, a cyberespionage group also known as MuddyWater, Mercury and Static Kitten, is enticing victims at global manufacturing, technology and information security companies with pay-related social engineering lures. Proofpoint on Thursday said the campaign is a continuation of attacks against Israeli organizations since the start of the Israel-Hamas war in October 2023.

Proofpoint said TA450 is targeting regional technology providers to gain access to downstream users at small to midsized firms through supply chain attacks against vulnerable regional managed services providers.

The phishing campaign began March 7 and persisted through the week of March 11. TA450 sent emails containing PDF attachments with malicious links. Although this tactic isn't new to TA450, recent observations indicated the group prefers to include malicious links directly in the body of emails.

The PDF attachments have slightly varied embedded links leading to file-sharing sites such as Egnyte, Onehub, Sync and TeraBox. The emails originated from likely compromised .IL sender accounts, consistent with TA450's recent activities, Poofpoint said.

Initial access downloads a ZIP archive containing a compressed MSI file, which installs AteraAgent, a remote administration software typically abused by TA450.

Emails from a compromised email address at a midsized financial services firm included a link to the cloud hosting provider Onehub. This link directs the victim to a ZIP archive that contains a legitimate installer executable file for the remote administration tool Syncro.

"While Syncro is a legitimate remote administration tool used in businesses, in this context, once installed on the target host, threat actors would be able to utilize the remote administration tool like a remote access Trojan and conduct additional intrusion activities, likely through both native tools and proprietary malware," Proofpoint researchers said previously.

The group previously used side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command-and-control functions.

Proofpoint researchers attribute the campaign to TA450 based on their analysis of the group's tactics, techniques and procedures, as well as targeting patterns and malware used.

The U.S. Cyber Command says the APT group - active since 2017- is linked to Iran's Ministry of Intelligence and Security (see: MuddyWater Targets Critical Infrastructure in Asia, Europe).

TA450 is linked to espionage campaigns against high-value targets in North America, Europe and Asia.

The latest campaign demonstrates TA450's evolving tactics. While not the first instance of using attachments with malicious links, it was the first time the group tried to deliver a malicious URL within a PDF.

Also, a Proofpoint researcher told Information Security Media Group, "This campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content."


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.