Decoration PressNEWSROOM

Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.

4 min

After a publication from the Israel National Cyber Directorate about a wave of attacks targeting local organizations, HarfangLab Cyber Threat Research Team further investigated and hunted to know more about the actor behind the attack, its techniques and tactics, and the extended victimology. MuddyWater is an active APT actor, assessed with high confidence to be sponsored by the Iranian state. Given the ever-rising tensions between Iran and Israel, HarfangLab CTR team has been following its activities closely. They discovered a very active campaign, particularly heavy since October 2023 which relates to the escalation of the conflict between Hamas and Israel.

Who is Muddy Water

MuddyWater is an APT Group assessed to be a subordinate element within the Ministry of Intelligence and Security. The group has been mostly targeting entities in the Middle East in his history, but also recently, some African Telecom Organisations. This latest activity was also supposedly linked to the Israel-Hamas conflict. Known and active since, at least 2017, MuddyWater’s modus operandi is usually to leverage legitimate compromised Remote Monitoring and Management (RMM) tools to infect the victims’ machines and get full control on them through this tool. As apparent from the ongoing attack campaign HarfangLab CTR team has been researching, the group now fully migrated to abuse Atera Agent. It provides a great operational security as it doesn’t need any infrastructure to be set up by the attackers.

A prosperous APT group, with fine-tuned attacking methods

Estimated timeline of Atera agent activity

The researchers discovered a significant increase of the RMM tool Atera Agent installation packages since October 2023. Over the past 6 months, MuddyWater further fine-tuned their use of legitimate RMM software and have ramped up its attacks. They are using the Atera Agent free trial offer and registered via compromised business and private email accounts to penetrate the victims’ machines. And to distribute the infected installation package link, they use spear phishing methods to lure their targets. Mails contain links leading to free file hosting services which host an archive with Atera Agent installer or provide direct access to the installer itself. HarfangLab CTR team have also discovered the actor abusing Zendesk chat module for hosting these installers. It’s interesting noting that the emails used to register to Atera Agent, and to distribute the spear phishing emails are not the same.

Such attack gives the threat actor full control over whomever installs them. From the computers they infect, they likely steal information and credentials that they use again in the next attack. These credentials are then likely used to send the next spear phishing email, and so on.

The researchers noted that the sophistication and the relevance of the spear phishing emails increased between the beginning of the campaign in October 2023 and now. MuddyWater tailored lures have much improved over the course of that time.

We suspect that MuddyWater does not only compromise business emails themselves but also receive access to previously breached accounts from affiliate groups.

Although we couldn’t confirm further stages in the attack lifecycle, we believe that these Atera Agent deployments are followed by deployments of PowerShell implants.

Dozens of identified victims across the region

Map of suspected targets
Fig. 9 – Map of suspected targets

Between October 2023 & April 2024, the identified victims of this specific campaign, which HarfangLab researchers estimate as being only a small part of the whole victimology, are airlines, IT companies, telecommunications, pharmaceuticals, automotive manufacturing, logistics, travel and tourism, immigration services and small businesses across Israel, Algeria, India, Turkey, Italy and Egypt.

Ariel Jungheit, Threat Researcher at HarfangLab explainsIn light of the escalating conflict in Israel, MuddyWater is as active as ever. The group persists in its primary espionage efforts, likely bolstered by affiliate `faketivist` groups aimed at destabilizing capabilities. Given the recent development in the region, particularly Iran’s direct use of kinetic weapons, we anticipate an increase in cyber operations from both sides in the near future.”

Recovery and prevention of such attacks

Unfortunately, it is always complicated for organisations to catch the abuse of RMM softwares, especially when they are identified as legitimate. Unless the organization closely monitors the use of such software, or blocks them altogether, the initial infection will likely not be detected. We can only strongly recommend the companies to raise awareness among their staff to be very cautious with linked emails and to pay attention to phishing attempts.

HarfangLab’s threat detection rules have now been updated to detect and block execution of Atera Agent binaries that MuddyWater used.

To read the full report, please go on Inside the Lab