Keypoints
- MuddyWater increasingly used Atera Agent installers (Oct 2023–Apr 2024) as an initial access vector to avoid building bespoke C2 infrastructure.
- Attackers registered Atera accounts with compromised or leaked email credentials (credential stuffing/password reuse and possible purchases) to provision agents.
- Spearphishing emails (improved lures over time) pointed recipients to cloud file-sharing links hosting ZIP archives or direct MSI installers.
- Distribution channels included Egnyte, Onehub, filetransfer[.]io, sync[.]com and Zendesk Chat uploads that produced public, non-expiring links.
- Atera’s Web UI enabled full remote control (file transfer, interactive shell/PowerShell), making it suitable for follow-on payload deployment such as PowerShell implants.
- Observed targeting spanned airlines, tourism, IT, telecom, pharma, manufacturing and small businesses across Israel, India, Algeria, Turkey, Italy and Egypt.
MITRE Techniques
- [T1566.002] Spearphishing Link – Attackers sent tailored emails that included links to cloud-hosted installers: [‘Golan Regional Council program [Link]’]
- [T1110.003] Password Spraying – The report notes suspected use of password spraying and credential reuse to access email accounts: [‘we suspect that the threat actor accessed these accounts through a variety of methods, such as password spraying, exploiting reused passwords…’]
- [T1078] Valid Accounts – Atera Agents were registered using compromised business and private email accounts to obtain legitimate remote access: [‘Atera Agent agents seen in this campaign has been registered using a mix of compromised business and private email accounts.’]
- [T1219] Remote Access Software – The actor used legitimate Atera RMM to remotely manage infected hosts and run interactive shells: [‘Atera provides comprehensive remote control capabilities directly from the Web UI, including the ability to upload/download files, run an interactive shell…’]
- [T1105] Ingress Tool Transfer – Atera installer binaries were delivered to victims via cloud file archives and direct downloads hosted on third-party services: [‘These emails contained links leading to various file-sharing websites, which either hosted an archive with the Atera Agent installer or provided direct access to the installer itself.’]
- [T1102] Web Service – The threat actor abused cloud/web services (e.g., Zendesk Chat uploads, Egnyte) to host distribution artifacts and obtain public links: [‘Attached files are uploaded as links in a chat session. Regardless of your authentication settings, those links can be accessed by anyone with the URL.’]
Indicators of Compromise
- [File Hashes] Atera Agent installers – 09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6 (digitalform.msi), ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0, and 20+ other hashes listed in the report.
- [Filenames] Targeted installer names – IronSword.msi, digitalform.msi, תוכנת תיירות.msi (Tourism Program in Hebrew).
- [URLs / Hosting] Distribution links and services – v2uploads.zopim[.]io/…/892fedae59b274ca24916de33650d318168ce335.zip (Zendesk Chat), kinneretacil.egnyte[.]com, filetransfer[.]io/data-package/tuMe19fV/download, and several other hosting URLs.
- [Domains] Services abused for hosting/distribution – egnyte[.]com, zopim[.]io (Zendesk), onehub[.]com, filetransfer[.]io (examples among others).
Since late 2023 MuddyWater has favored Atera Agent as a staging tool: attackers create Atera accounts using compromised or bought email credentials (often from breaches or via password reuse), generate agent installers through Atera’s free trial, and distribute those installers to targets. Delivery relies on spearphishing emails containing links to cloud-hosted artifacts—either ZIP archives or direct MSI files—hosted on services such as Egnyte, Onehub, sync[.]com, filetransfer[.]io and Zendesk Chat. This method provides a publicly accessible, low-friction distribution channel that avoids the need for attacker-controlled C2 infrastructure.
Operationally, MuddyWater combines credential access techniques (password spraying/credential stuffing and use of leaked credentials) with well-crafted lures tailored to specific victims. The actor uploaded installers during chat sessions (Zendesk) or to cloud storage subdomains to obtain persistent public links, then sent targeted emails linking to those resources. Once installed, Atera’s Web UI and agent afford full remote control (file upload/download, interactive shells, PowerShell), enabling rapid follow-on actions; the report notes the likely next stage is deployment of a PowerShell implant as previously observed.
For defenders, key detection and hunting opportunities include: scanning for Atera Agent binaries configured to suspicious email addresses, monitoring inbound spearphishing that references organization-specific lures leading to cloud storage, and tracking public file-sharing URLs tied to known malicious uploads. The report’s provided hashes, URLs and YARA rules can be used to hunt and block known artifacts while investigating potential post-compromise activity stemming from abused RMM access.
Read more: https://harfanglab.io/en/insidethelab/muddywater-rmm-campaign/