The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent.
Cybersecurity firm Deep Instinct, which disclosed details of the attacks, said the campaign “exhibits updated TTPs to previously reported MuddyWater activity,” which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
While the latest development marks the first time MuddyWater has been observed using N-able’s remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor.
The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter).
The state-sponsored group is a cyber espionage crew that’s said to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been active since at least 2017.
Prior attack sequences have entailed sending spear-phishing emails with direct links as well as HTML, PDF, and RTF attachments containing links to archives hosted on various file-sharing platforms that ultimately drop one of the aforementioned remote administration tools.
The latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Mango Sandstorm and Static Kitten.
What’s different this time around is the use of a new file-sharing service called Storyblok to initiate a multi-stage infection vector.
“It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool,” security researcher Simon Kenin said in a Wednesday analysis.
“After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target.”
The lure document displayed to the victim is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from its official website.
In a further sign of Iran’s fast improving malicious cyber capabilities, Deep Instinct said it also spotted the MuddyWater actors leveraging a new command-and-control (C2) framework called MuddyC2Go, a successor to MuddyC3 and PhonyC2.