Skip to content Skip to footer

Iran-Linked Threat Actors Target Israeli Entities with New Phishing Campaign in March 2024

In March 2024, the Iran-affiliated threat actor (also known as Mango Sandstorm or ) launched a new campaign. This campaign aimed to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera. As reported by Proofpoint, the campaign targeted Israeli entities in the global manufacturing, technology, and information security sectors.

The campaign involved using emails with PDF attachments that contained malicious links, a method that is not new to . However, the threat actor has recently relied on including malicious links directly in the email message bodies instead of adding this extra step.

has been attributed to attacks directed against Israeli organizations since late October 2023. Prior findings from Deep Instinct have uncovered the threat actor's use of another remote administration tool from N-able. The enterprise security firm Proofpoint has linked to a new campaign that embeds links to files hosted on file-sharing sites, such as Egnyte, Onehub, Sync, and TeraBox.

The messages are said to have been sent from a likely compromised email account associated with the “co.il” (Israel) domain. In the next stage, clicking on the link present within the PDF lure document retrieves a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. 's use of Atera Agent dates back to July 2022.

It is worth noting that this is not the first time the adversary – assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS) – has come under the spotlight for its reliance on legitimate remote desktop software to meet its strategic goals. It has also been observed utilizing ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

The shift in 's tactics comes in the wake of another cyberattack on the Israeli academic sector by an Iranian hacktivist group dubbed Lord Nemesis. The group breached a software services provider named Rashim Software in a software supply chain attack. Lord Nemesis reportedly used the credentials obtained from the Rashim breach to infiltrate several of the company's clients, including numerous academic institutes.

The group claims to have obtained sensitive information during the breach, which they may use for further attacks or to exert pressure on the affected organizations. Lord Nemesis is believed to have used the unauthorized access it gained to Rashim's infrastructure by hijacking the admin account and leveraging the company's inadequate multi-factor authentication (MFA) protections to harvest personal data of interest.

Security researcher Roy Golombick highlights the need to implement adequate security measures to mitigate the risks posed by third-party vendors and partners. This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies to further their geopolitical agendas.

In conclusion, the cyber threats posed by nation-state actors highlight the need for organizations to implement robust security measures to protect their sensitive data from unauthorized access.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

A strange game. The only winning move is not to play. How about a nice game of chess?Joshua

Deitasoft © 2024. All Rights Reserved.