A new social engineering campaign conducted by the “MuddyWater” group has been observed targeting two Israeli entities with tactics, techniques and procedures (TTPs) previously associated with this threat actor.
MuddyWater, a group known for spear-phishing emails since 2020, has historically employed links and PDFs, RTFs and HTML attachments that direct victims to archives hosted on different file-sharing platforms. These archives typically contained legitimate remote administration tools.
According to an advisory published by the Deep Instinct Threat Research team on Wednesday, during the Israel-Hamas conflict, MuddyWater has reused these known remote administration tools, as well as leveraging a new file-sharing service called “Storyblok.”
On October 30, Deep Instinct reportedly discovered two archives hosted on Storyblok featuring a new multi-stage infection vector. This vector conceals files, including an LNK file initiating the infection and an executable file, executing an Advanced Monitoring Agent, a remote administration tool.
According to the security experts, this marks the first public report of MuddyWater employing this particular remote administration tool.
Read more on MuddyWater attacks: MuddyWater Uses SimpleHelp to Target Critical Infrastructure Firms
At the same time, the new campaign’s initial infection mechanism likely involves a spear-phishing email, similar to past campaigns.
The archive contains several hidden folders, including a deceptive LNK shortcut resembling a directory called “Attachments.” When the LNK file is opened, the infection sequence is initiated, executing the “Diagnostic.exe” file, present in both archives observed by Deep Instinct. This file then launches “Windows.Diagnostic.Document.EXE,” a legitimate installer for “Advanced Monitoring Agent.”
In addition to executing the remote administration tool, “Diagnostic.exe” also opens a Windows Explorer window for the hidden “Document” folder, creating a ruse to deceive the victim.
The decoy document within this campaign is an official memo from the Israeli Civil Service Commission, publicly available on their website, which outlines procedures for government workers expressing opinions against the Israeli state on social networks.
After infection, MuddyWater operators likely conduct reconnaissance before executing PowerShell code, causing the infected host to communicate with a custom command-and-control (C2) server. Notably, MuddyWater recently used a new C2 framework called “MuddyC2Go.”
More details about the campaign can be found on Deep Instinct’s GitHub page. The company also confirmed it will publish an additional, extended post about the findings in the near future.