A new social engineering campaign led by the “MuddyWater” group has been observed targeting two Israeli entities with tactics, techniques and procedures (TTP) previously associated with this threat actor.
MuddyWater, a group known for its spear phishing emails since 2020, historically uses PDF, RTF, and HTML links and attachments that direct victims to archives hosted on various file sharing platforms. These archives usually contained legitimate remote administration tools.
According to a notice published Wednesday by the team at Deep Instinct Threat Research, during the Israel-Hamas conflict, MuddyWater reused these familiar remote administration tools, as well as a new file sharing service called “Storyblok.”
On October 30, Deep Instinct reportedly discovered two archives hosted on Storyblok presenting a new multi-stage infection vector. This vector conceals files, including an LNK file initiating the infection and an executable file, running an Advanced Monitoring Agent, a remote administration tool.
According to security experts, this is the first public report that MuddyWater is using this particular remote administration tool.
At the same time, the initial infection mechanism of the new campaign likely involves a spear phishing email, similar to previous campaigns.
The archive contains several hidden folders, including a deceptive LNK shortcut resembling a directory called “Attachments”. When the LNK file is opened, the infection sequence is initiated, by executing the “Diagnostic.exe” file, present in the two archives observed by Deep Instinct. This file then launches “Windows.Diagnostic.Document.EXE”, a legitimate installer for “Advanced Monitoring Agent”.
Besides running the remote administration tool, “Diagnostic.exe” also opens a Windows Explorer window for the hidden “Document” folder, thus creating a ruse to deceive the victim.
The decoy document for this campaign is an official memo from the Israeli Civil Service Commission, Publicly available on their website, which outlines procedures for public officials to express their opinions against the Israeli state on social media.
After infection, MuddyWater operators likely perform reconnaissance before executing PowerShell code, forcing the infected host to communicate with a custom command and control (C2) server. Notably, MuddyWater recently used a new C2 framework called “MuddyC2Go”.
More details about the campaign can be found at Deep Instinct GitHub page. The company also confirmed that it will publish an additional, detailed results article soon.