Credential Dumping Campaign with Atera Agent Linked to MuddyWater

Category: Threat Actor Activity | Industry: Global | Source: Sophos

An incident tracked in November 2024 links the Iranian cyber espionage group MuddyWater (aka Mango Sandstorm, Static Kitten, STAC 1171, TA450) to a credential theft operation targeting an organization in Israel, which was detected and blocked by Sophos. Analysis of the incident revealed a domain matched with one reported by Proofpoint in March 2024 as being associated with the MuddyWater threat group. This current operation begins with targeted phishing emails designed to lure victims into downloading a zip archive from a malicious Onehub link. The "New Program ICC LTD.zip" archive contained an installer for the Atera remote monitoring and management (RMM) tool. Sophos observed that the attackers used a "trial account registered to an email address we believe was compromised."

Following the installation of the Atera agent, the attackers executed a PowerShell script that invoked the C# Compiler (csc.exe) to compile a file in the temporary directory (C:\WINDOWS\TEMP) and ran “reg.exe” to create a backup of the SYSTEM registry hive (SystemBkup.hiv). Additional actions included conducting network domain enumeration, creating an SSH tunnel, and using an obfuscated PowerShell command to download another RMM tool, Level. Sophos, expressing moderate confidence in linking this activity to MuddyWater, cautions that the group remains actively engaged. Sophos also reports observing "telemetry of another Sophos non-MDR customer in the United States that follows the same behavior," highlighting the broader threat posed by this campaign.