MuddyWater, an Iranian state-sponsored threat group, has launched a spear-phishing campaign targeting Israeli entities. Cybersecurity firm Deep Instinct reported that MuddyWater is using a fake memo from the Israeli Civil Service Commission to lure victims into downloading a remote administration tool called Advanced Monitoring Agent (AMA). This tool allows hackers to remotely access victims’ computers, steal data, disrupt systems, and perform spying activities. The group is specifically targeting two Israeli entities to deploy AMA, which is a legitimate remote administration tool from N-able.
The campaign by MuddyWater exhibits updated techniques, tactics, and procedures (TTPs) compared to their previous activities, as noted by researchers at Deep Instinct. In the past, the group focused on distributing remote access tools like ScreenConnect, Syncro, RemoteUtilities, and SimplyHelp. However, in this spear-phishing campaign, MuddyWater has employed a new technique known as ‘eN-Able.’ This technique combines HTML and JavaScript in phishing emails to evade standard email security filters. The emails appear legitimate and contain malicious code to exploit vulnerabilities in operating systems and email clients.
Another new tactic observed in this campaign is called ‘spray and pray.’ This technique involves sending a large number of phishing emails to numerous targets, increasing the chances of success even if only a fraction of the targets fall for the lure.
In addition, MuddyWater has employed a new file-sharing service called Storyblok to launch a multi-stage infection vector. This vector includes hidden files, an LNK file that initiates the infection, and an executable to launch the malware. Once a victim’s computer is compromised, the attacker connects to the infected host using the legitimate remote administration tool to conduct reconnaissance.
The group has also been seen leveraging a new command and control (C2) framework called Muddy2Go. These new TTPs indicate that MuddyWater is continuously trying to improve its modus operandi. This finding has been confirmed separately by another cybersecurity firm, Group-IB.
MuddyWater, also known as Mango Sandstorm and Static Kitten, is a cyberespionage group believed to be operating under the Ministry of Intelligence and Security (MOIS) in Iran. It has been active since 2017, along with other Iranian hacking groups like Agrius, OilRig, and Scarred Manticore.
It is important to note that this campaign is part of a series of targeted cyberattacks against Israeli entities by MuddyWater. The escalation of tension between Israel and Palestine has led to increased activity from state-sponsored actors targeting Israel. Recently, Hamas hackers developed a dangerous malware called BiBi-Linux, which can overwrite critical system files, making it impossible to boot up infected systems. This malware was distributed through spear-phishing emails masquerading as legitimate Israeli organizations.
In October 2023, another spyware campaign was detected in which pro-Palestine hackers delivered malware to unsuspecting Israeli citizens using a rocket alert app.
These incidents highlight the ongoing cyber conflict between state-sponsored actors in the region and the need for robust cybersecurity measures to protect critical infrastructure and sensitive information.
Related News:
1. Israel’s Channel 10 TV Station Hacked by Hamas
2. Hamas hacked the smartphones of over 100 IDF soldiers
3. Hamas posed as women to con IDF into downloading malware
4. Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5. Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
6. Hamas hacked phones of IDF soldiers with seductive phones of women
English 
Albanian 
Serbian 
Croatian 