When IT Tools Become the Attack

Show Notes

In this episode, we explore a stealthy credential access campaign attributed to the Iranian-linked group MuddyWater, also known as TA450. 

The attack began with a phishing email that delivered a legitimate installer for the Atera Agent—used to quietly gain remote access to the victim’s machine. From there, the attackers used built-in scripting tools to extract credential-related data, mapped the domain, and created a persistent SSH tunnel. They later deployed a second RMM tool to reinforce their access.

Defensive Recommendations:

• Block installation of RMM tools like Atera or Level RMM unless deployed by authorized teams
• Monitor for new outbound SSH connections, especially from workstations
• Restrict PowerShell execution and logging, particularly for registry access or remote scripts
• Implement alerts for sudden use of remote access tools during off-hours or by non-admin users
• Maintain a baseline of approved software, and alert on deviations

Tools and Infrastructure Observed:

• Atera Agent (installed by user via phishing lure)
• Level RMM (retrieved via obfuscated PowerShell command)
• SSH tunnel to remote infrastructure (used for persistence and control)

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.