Deep Instinct’s Threat Research team has recently discovered an escalated campaign from the notorious MuddyWater group. This campaign significantly targets Israeli infrastructure1 and exhibits an array of updated Tactics, Techniques, and Procedures (TTPs).
The Evolving Landscape of MuddyWater’s Tactics
While MuddyWater has been known for spear-phishing attacks since 2020, they have constantly evolved their methods. Previously, they utilized attachments like PDF, RTF, and HTML files containing links to archives hosted on various platforms.
These archives typically concealed installers for legitimate remote administration tools.
Before ratcheting up their activities amidst the Israel-Hamas conflict, the group adopted a new strategy.
Deep Instinct has uncovered that MuddyWater has shifted its hosting service to a new platform called “Storyblok.” On October 30th, two unique archives were identified on this service, showcasing a multi-layered infection mechanism.
A Closer Look at the Multi-Stage Infection Vector
While the initial distribution methods remain under investigation, it appears that the new campaign is likely spearheaded by phishing emails, akin to MuddyWater’s earlier strategies. These phishing emails direct the victim to download an archive from a Storyblok-hosted URL, identified as “
Upon downloading and extracting the archive, the victim would find multiple layers of obfuscation. For instance, navigating through the folders would lead to a LNK shortcut disguised as another folder named “Attachments.”
Hidden Complexity: What Lies Beneath the Surface
Interestingly, the extracted archive contains additional hidden folders and files. These hidden elements set the stage for the infection. When an unwitting victim opens the LNK file, it triggers the first step of the infection chain.
The LNK file has been programmed to execute an executable from one of these hidden directories. Deep Instinct’s analysis found that the file “
Diagnostic.exe” plays a pivotal role in the infection process. This executable activates another file named “
Windows.Diagnostic.Document.EXE,” which is a bona fide installer for a remote administration tool called “Advanced Monitoring Agent.”
The Decoy: Misleading the Victim
As part of its deceptive tactics, “Diagnostic.exe” also opens a new Windows Explorer window showing a hidden “
Document” folder. This move is designed to mislead the victim into believing that the
LNK file was merely a folder. To add another layer of deception, a decoy document is displayed, which is an official memo from the Israeli Civil Service Commission.
What Comes Next: The Reconnaissance Phase
After the infection process is initiated, MuddyWater’s operators connect to the compromised system using the legitimate “
Advanced Monitoring Agent” for initial reconnaissance. It is then likely that the operators will execute PowerShell code, causing the infected host to communicate with a custom Command and Control (C2) server. While MuddyWater has previously relied on the
PhonyC2 framework, Deep Instinct has observed a shift to a new C2 framework, intriguingly named
Conclusion: MuddyWater’s Resilient and Evolving Threat
MuddyWater persists in its efforts to compromise Israeli targets. The group has impressively updated its TTPs, including the use of a new hosting service, initiating the infection through a LNK file, and employing a multi-stage malware that mimics a directory while launching a new remote administration tool.
- https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps ↩︎