Proofpoint highlights a new strategy by TA450, which attempted to distribute a malicious URL in a PDF attachment rather than directly linking the file in an email. TA450, also known as MuddyWater, Mango Sandstorm and Static Kitten, uses abait of paid social engineering to target Israeli employees of large multinationals. TA450 has indeed targeted entities Israeli, at least since October 2023, the start of the war between Israel and Hamas. Primary target is global manufacturing, technology and cybersecurity companies.
Pay attention to the sender .IL account
In the phishing campaign, which began on March 7 and continued until the week of March 11, 2024, TA450 sent email with PDF attachments containing malicious links. While this method is not entirely foreign to TA450, more recently this actor had relied on malicious links included directly in the body of the email messages, instead of adding this extra step. Proofpoint researchers observed the same targets receiving multiple phishing emails with PDF attachments that contained slightly different embedded links.
How TA450 cyber threat strategies are changing
These led to a series of siti file sharing platforms, including Egnyte, Onehub, Sync and TeraBox. The emails also used a possibly compromised .IL sender account, which is consistent with this actor’s recent activity. When a target opened the attachment and clicked on the included link, a ZIP archive containing a compressed MSI was downloaded. This eventually installed AteraAgent, remote administration software that the TA450 is known to abuse. Proofpoint researchers attribute this campaign to TA450 based on known tactics, techniques and procedures, campaign targeting and malware analysis. In January 2022, the US Cyber Command attributed this group to Iran’s Ministry of Intelligence and Security.
Because it’s relevant
This activity is noteworthy for several reasons. Like the fact that it marks a turning point in TA450 tactics. While this campaign is not the first observed case of using attachments with malicious links as part of the attack chain, it is the first time that Proofpoint researchers have observed TA450 attempt to deliver a malicious URL in a PDF attachment instead of directly linking the file in an email. Additionally, this is the first time Proofpoint has observed TA450 using a sender email account that matches the content of the decoy. For example, in this campaign he used a salary account[@]