TA450 Hackers Uses Embedded Links in PDF Attachments

In a concerning development in cyber warfare, the Iran-aligned threat actor known as TA450, also recognized by aliases such as MuddyWater, Mango Sandstorm, and Static Kitten, has been reported to employ a new strategy in its phishing campaigns.

Proofpoint researchers have identified a shift in the group’s tactics, which now involve embedding malicious links within PDF attachments sent to employees of global manufacturing, technology, and information security companies, with a particular focus on Israeli targets.

The Evolution of TA450’s Methods

Historically, TA450 has been known for its direct approach of including malicious links within the body of phishing emails.

However, in a campaign that began on March 7, 2024, and persisted through the week of March 11, the group has added an extra layer to its attack chain by using PDF attachments as a vector for delivering these harmful links.

This marks the first time Proofpoint researchers have observed such a technique from TA450, indicating a significant pivot in the group’s modus operandi.

The Social Engineering Lure

The recent phishing attempts have utilized a pay-related social engineering lure, a tactic designed to exploit human psychology by promising financial incentives.

This method has proven effective in targeting Israeli employees, a demographic that TA450 has been actively pursuing since at least October 2023, following the onset of the Israel-Hamas conflict.

The campaign’s success is partly due to the use of sender email accounts that match the lure’s content, adding a layer of authenticity to the phishing emails.

The shift in TA450’s tactics is particularly alarming given the group’s alignment with Iran’s Ministry of Intelligence and Security, as attributed by the United States Cyber Command in January 2022.

The use of PDF attachments to conceal malicious URLs represents an escalation in the sophistication of TA450’s attacks, posing a heightened risk to organizations and their employees.

The Campaign’s Impact

The campaign’s impact is not to be underestimated. By sending multiple phishing emails with PDF attachments to the same targets, TA450 increases the likelihood of successful infiltration.

Once an unsuspecting employee clicks on the embedded link, they are led to a ZIP archive via Onehub, which then results in the download of remote administration software.

This software grants TA450 access to the victim’s system, allowing for potential data theft, espionage, or further malicious activities.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Indicators of Compromise (IOCs)