MuddyWater Sophisticated Spear Phishing Tactics During Israel-Hamas Conflict

Estimated read time 3 min read

Deep Instinct’s Threat Research team has recently discovered an escalated campaign from the notorious MuddyWater group. This campaign significantly targets Israeli infrastructure1 and exhibits an array of updated Tactics, Techniques, and Procedures (TTPs).

The Evolving Landscape of MuddyWater’s Tactics

While MuddyWater has been known for spear-phishing attacks since 2020, they have constantly evolved their methods. Previously, they utilized attachments like PDF, RTF, and HTML files containing links to archives hosted on various platforms.

These archives typically concealed installers for legitimate remote administration tools.

Before ratcheting up their activities amidst the Israel-Hamas conflict, the group adopted a new strategy.

Deep Instinct has uncovered that MuddyWater has shifted its hosting service to a new platform called “Storyblok.” On October 30th, two unique archives were identified on this service, showcasing a multi-layered infection mechanism.

A Closer Look at the Multi-Stage Infection Vector

While the initial distribution methods remain under investigation, it appears that the new campaign is likely spearheaded by phishing emails, akin to MuddyWater’s earlier strategies. These phishing emails direct the victim to download an archive from a Storyblok-hosted URL, identified as “a.storyblok[.]com.”

Upon downloading and extracting the archive, the victim would find multiple layers of obfuscation. For instance, navigating through the folders would lead to a LNK shortcut disguised as another folder named “Attachments.”

Hidden Complexity: What Lies Beneath the Surface

Interestingly, the extracted archive contains additional hidden folders and files. These hidden elements set the stage for the infection. When an unwitting victim opens the LNK file, it triggers the first step of the infection chain.

The Evolving Landscape of MuddyWater's Tactics - Screenshot from Deep Instincts Report on MuddyWater
The Evolving Landscape of MuddyWater’s Tactics – Screenshot from Deep Instincts Report on MuddyWater

The LNK file has been programmed to execute an executable from one of these hidden directories. Deep Instinct’s analysis found that the file “Diagnostic.exe” plays a pivotal role in the infection process. This executable activates another file named “Windows.Diagnostic.Document.EXE,” which is a bona fide installer for a remote administration tool called “Advanced Monitoring Agent.”

The Decoy: Misleading the Victim

As part of its deceptive tactics, “Diagnostic.exe” also opens a new Windows Explorer window showing a hidden “Document” folder. This move is designed to mislead the victim into believing that the LNK file was merely a folder. To add another layer of deception, a decoy document is displayed, which is an official memo from the Israeli Civil Service Commission.

What Comes Next: The Reconnaissance Phase

After the infection process is initiated, MuddyWater’s operators connect to the compromised system using the legitimate “Advanced Monitoring Agent” for initial reconnaissance. It is then likely that the operators will execute PowerShell code, causing the infected host to communicate with a custom Command and Control (C2) server. While MuddyWater has previously relied on the PhonyC2 framework, Deep Instinct has observed a shift to a new C2 framework, intriguingly named MuddyC2Go.

Conclusion: MuddyWater’s Resilient and Evolving Threat

MuddyWater persists in its efforts to compromise Israeli targets. The group has impressively updated its TTPs, including the use of a new hosting service, initiating the infection through a LNK file, and employing a multi-stage malware that mimics a directory while launching a new remote administration tool.

Read the full Deep Instinct report

  1. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours