Iran’s state-sponsored threat group, MuddyWater, is reportedly behind a spear phishing campaign targeting Israeli organizations. The campaign utilizes Advanced Monitoring Agent, a legitimate remote administration tool by N-able.
Cybersecurity firm Deep Instinct revealed the attack, which exhibits updated tactics and techniques compared to previous MuddyWater activity. The group is known for its cyber espionage activities and is linked to Iran’s Ministry of Intelligence and Security (MOIS). The use of N-able software marks a new development for the group, indicating an ongoing evolution in their operations.
MuddyWater’s historical attack vectors have involved spear-phishing emails, including direct links and email attachments, with the goal of delivering various remote administration tools.
However, this latest campaign introduces a multi-stage infection process using a new file-sharing service called Storyblok. This method includes hidden files, an LNK file to initiate the infection, and an executable file to execute the Advanced Monitoring Agent. Once a victim is infected, MuddyWater operators use the legitimate remote administration tool for reconnaissance on the compromised system. The lure document used in this campaign is disguised as an official memo from the Israeli Civil Service Commission.
Moreover, this development highlights MuddyWater’s ability to adapt and enhance its capabilities. In addition to the new infection vector, the group is using a new command-and-control (C2) framework called MuddyC2Go, succeeding MuddyC3 and PhonyC2.
This demonstrates the group’s continuous evolution in response to defensive measures taken by their targets. The MuddyWater group has been active since 2017, maintaining its role in Iran’s broader cyber espionage efforts. As their tactics evolve, monitoring and countering their activities remain a challenge for security experts.