November 2, 2023 at 05:30AM
MuddyWater, an Iranian nation-state actor, has launched a spear-phishing campaign targeting Israeli entities. This campaign deploys a legitimate remote administration tool from N-able called Advanced Monitoring Agent. While MuddyWater has previously used similar attack chains, this is the first time it has been observed using N-able’s software. The group is part of Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017. The latest campaign involves the use of a new file-sharing service called Storyblok and a new command-and-control framework called MuddyC2Go.
Based on the meeting notes, the key takeaways are:
1. MuddyWater, an Iranian nation-state actor, has launched a new spear-phishing campaign targeting two Israeli entities.
2. The campaign utilizes a legitimate remote administration tool called Advanced Monitoring Agent from N-able.
3. Cybersecurity firm Deep Instinct has observed updated techniques and tactics in this campaign, similar to previous MuddyWater activity.
4. MuddyWater has previously used attack chains to distribute remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
5. This is the first time MuddyWater has been observed using N-able’s remote monitoring software.
6. MuddyWater operates as a cyber espionage group within Iran’s Ministry of Intelligence and Security (MOIS) and has been active since 2017.
7. Previous attack sequences involved spear-phishing emails with direct links and attachments containing links to archives hosted on file-sharing platforms.
8. The group known as Mango Sandstorm and Static Kitten has evolved its tactics and tools, using a new file-sharing service called Storyblok.
9. The infection vector includes hidden files, an LNK file, and an executable file that unhide a decoy document while executing the Advanced Monitoring Agent.
10. MuddyWater operators connect to infected hosts using the remote administration tool to conduct reconnaissance on the target.
11. The lure document used in this campaign is an official memo from the Israeli Civil Service Commission, publicly available for download.
12. MuddyWater actors are also leveraging a new command-and-control (C2) framework called MuddyC2Go, showing Iran’s improving cyber capabilities.
These takeaways provide an overview of the cyber attack conducted by MuddyWater and highlight the group’s evolving tactics and tools. It is essential to monitor the situation closely and consider implementing appropriate security measures in response.