Keypoints
- Campaign observed 7–11 March 2024 delivering PDFs with embedded malicious links to multiple targets.
- PDF links pointed to file‑sharing services (Egnyte, Onehub, Sync, TeraBox) hosting a ZIP archive.
- Downloaded ZIP contained a compressed MSI which installed AteraAgent remote administration software.
- Emails used likely compromised .IL sender accounts and Hebrew pay-themed subjects and document titles.
- Targets were Israeli employees at large multinational manufacturing, technology, and infosec companies.
- Researchers observed multiple phishing emails with slightly different embedded links sent to the same targets.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Use of PDF attachments containing malicious links (’emails with PDF attachments that contained malicious links.’)
- [T1566.002] Spearphishing Link – Use of embedded URLs to lure execution and delivery (‘the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step.’)
- [T1204.002] User Execution: Malicious Link – Execution via user clicking link inside PDF which triggers a download (‘if a target opened the attachment and clicked on the included link, it would lead to the download of a ZIP archive…’)
- [T1105] Ingress Tool Transfer – Download and transfer of tooling: ZIP → compressed MSI → install of remote admin software (‘would lead to the download of a ZIP archive containing a compressed MSI that ultimately would install AteraAgent, remote administration software’)
- [T1078] Valid Accounts – Use of likely compromised sender email accounts to deliver lures (’emails also used a likely compromised .IL sender account’)
Indicators of Compromise
- [Compromised sender] Example compromised email account used as sender – salary[@]<compromisedorg>.co[.]il
- [Email subjects] Pay-themed Hebrew subject lines used in lures – תלושי השכר (Pay slip), תלוש שכר לחודש 02/2024 (Pay slip for month 02/2024)
- [Document title] PDF document title used in lure – תלוש השכר .pdf (Pay slip)
- [URLs] File‑sharing hosts used to host payloads – hxxps://salary.egnyte[.]com/[id], hxxp://ws.onehub[.]com/files/[id] (and 2 more hosts such as Sync and TeraBox)
- [File hashes] Example SHA256s for delivered artifacts – dee6494e69c6e7…a25a9 (PDF), cc4cc20b5580…449450492 (salary.zip) (and 1 more hash for salary.msi)
Proofpoint observed TA450 distribute phishing emails containing PDF attachments whose visible content referenced pay slips; the PDFs embedded links that redirected users to file‑sharing hosts (Egnyte, Onehub, Sync, TeraBox). Targets received multiple variants of these PDFs with slightly different embedded URLs; attackers used a likely compromised .IL sender account aligned with the pay-themed lure to increase legitimacy.
When a recipient clicked the embedded link, the link led to a hosted ZIP archive. The ZIP contained a compressed MSI (example filenames: salary.zip → salary.msi) which, once executed, installed AteraAgent remote administration software. Proofpoint provided SHA256 examples for the PDF, ZIP, and MSI to aid detection and analysis.
The technical chain is: spearphishing PDF (attachment) → user clicks embedded link → download ZIP from file‑sharing host → extract/run compressed MSI → AteraAgent installed. Observed indicators include the compromised sender format (salary@…), Hebrew pay-themed subject/document titles, the file‑sharing URLs, and the provided SHA256 hashes for the PDF, ZIP, and MSI.