The Iranian state-sponsored threat group MuddyWater APT operates a new spear-phishing cybercriminal operation to target Israeli organisations.
Based on reports, the main objective of this campaign is to deploy a legitimate remote administration tool called Advanced Monitoring Agent from N-able. Researchers explained that this campaign displayed updated tactics, techniques, and procedures (TTPs) compared to previous MuddyWater activities.
However, the MuddyWater group has previously employed similar attack methods to distribute remote access tools such as ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
This recent spear-phishing operation from the MuddyWater APT is the first incident where the group used such a tactic.
Investigations show that this new MuddyWater APT campaign marks the first instance in which they used N-able’s remote monitoring software, highlighting that their modus operandi, while essentially unchanged, continues to bring some success.
The researchers have also published their findings about the new malicious campaign on X (formerly Twitter).
MuddyWater is a state-sponsored cyber-espionage group allegedly connected to the Ministry of Intelligence and Security of Iran, alongside other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. The group has been executing their cybercriminal operations since at least 2017.
Some of their previous attack methods have involved sending spear-phishing emails that contain direct links, as well as HTML, PDF, and RTF attachments with links to archives stored on various file-sharing platforms, which ultimately deliver one of the earlier mentioned administration tools.
Furthermore, the group utilised a new file-sharing service called Storyblok to initiate a multi-stage infection process. This process includes hidden files, an LNK file triggering the infection, and an executable file that hides a decoy document while executing Advanced Monitoring Agent, a legitimate remote administration tool. Subsequently, the MuddyWater operators utilise the remote administration tool for reconnaissance operations after infecting the victim’s system.
Researchers also claimed that the bait used by the threat group in this campaign was an official memo from the Israeli Civil Service Commission, which users can download from its official website.
Additionally, the MuddyWater actors were using a new command-and-control (C2) framework called MuddyC2Go, which succeeded MuddyC3 and PhonyC2, indicating Iran’s advancing cyber capabilities.
Israeli organisations should be wary of these threats since the MuddyWater threat group could take advantage of their current war against Hamas to execute their cybercriminal attacks.
