Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Cyber Security

Products You May Like

Nov 02, 2023NewsroomCyber Attack / Malware

The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent.

Cybersecurity firm Deep Instinct, which disclosed details of the attacks, said the campaign “exhibits updated TTPs to previously reported MuddyWater activity,” which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

While the latest development marks the first time MuddyWater has been observed using N-able’s remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor.

Cybersecurity

The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter).

The state-sponsored group is a cyber espionage crew that’s said to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been active since at least 2017.

Prior attack sequences have entailed sending spear-phishing emails with direct links as well as HTML, PDF, and RTF attachments containing links to archives hosted on various file-sharing platforms that ultimately drop one of the aforementioned remote administration tools.

The latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Mango Sandstorm and Static Kitten.

What’s different this time around is the use of a new file-sharing service called Storyblok to initiate a multi-stage infection vector.

“It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool,” security researcher Simon Kenin said in a Wednesday analysis.

Cybersecurity

“After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target.”

The lure document displayed to the victim is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from its official website.

In a further sign of Iran’s fast improving malicious cyber capabilities, Deep Instinct said it also spotted the MuddyWater actors leveraging a new command-and-control (C2) framework called MuddyC2Go, a successor to MuddyC3 and PhonyC2.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Oppo Find X8 Series Tipped to Offer an Extra Button for Quick Actions
WhatsApp Developing Phone Contact Sync Toggle for Linked Devices: Report
The sneaky way Big Tech is acquiring AI unicorns without buying the companies
Vivo X Fold 3 Pro vs OnePlus Open: Which One Should You Get?
IC 814: The Kandahar Hijack Review: A Thoroughly Researched Series That Points the Finger at the System

Leave a Reply

Your email address will not be published. Required fields are marked *