Deep Instinct reports a new MuddyWater spear-phishing campaign targeting Israeli entities, with updated tactics, techniques, and infrastructure, including public hosting on Storyblok and a multi-stage infection chain using a LNK launcher and a signed installer for a remote administration tool. The operation culminates in reconnaissance and potential PowerShell-based beacons to a custom C2, with a decoy memo from the Israeli Civil Service Commission used as bait. #MuddyWater #Storyblok #AdvancedMonitoringAgent #AteraAgent #SimpleHelp #IsraeliCivilServiceCommission #MuddyC2Go
Keypoints
- MuddyWater launches a new multi-stage spear-phishing campaign, targeting Israeli targets during ongoing conflict.
- Campaign uses a new hosting channel on Storyblok to deliver archives and payloads.
- Infection chain starts with a LNK file that runs from hidden directories after user interaction with an archive.
- Diagnostic.exe launches the signed installer Windows.Diagnostic.Document.EXE for Advanced Monitoring Agent, while may also open a deceptive Explorer window to show a decoy folder.
- A decoy memo from the Israeli Civil Service Commission is used to mislead victims into opening the attachment.
- Post-compromise activity includes recon, PowerShell execution, and beacons to a custom C2 (potential MuddyC2Go) for command and control.
MITRE Techniques
- [T1566.002] Spearphishing Link – The content of the email lures the victim into downloading an archive hosted at “a.storyblok[.]com”
- [T1059.003] Windows Command Shell – The LNK file uses command-line arguments to start the infection (as shown in LNK command line arguments)
- [T1218] Signed Binary Proxy Execution – The file “Windows.Diagnostic.Document.EXE” is a signed, legitimate installer used to deploy “Advanced Monitoring Agent”
- [T1036] Masquerading – The decoy document is an official memo from the Israeli Civil Service Commission, packaged to appear legitimate
- [T1059.001] PowerShell – PowerShell code is likely executed post-infection to enable beacons
- [T1071.001] Web Protocols – Beacons to a custom C2 server (beaconing behavior) over web protocols
Indicators of Compromise
- [MD5] 37c3f5b3c814e2c014abc1210e8e69a2 – Archive containing Atera Agent
- [MD5] 16923d827a440161217fb66a04e8b40a – Atera Agent Installer
- [MD5] 7568062ad4b22963f3930205d1a14df7 – Archive containing Atera Agent
- [MD5] 39eea24572c14910b67242a16e24b768 – Archive containing Atera Agent
- [MD5] 2e09e53135376258a03b7d793706b70f – Atera Agent Installer
- [MD5] 1f0b9aed4b2c8d958a9b396852a62c9d – Archive containing SimpleHelp
- [MD5] 065f0871b6025b8e61f35a188bca1d5c – SimpleHelp Installer
- [MD5] 146cc3a1a68be349e70b79f9115c496b – defense-video.zip
- [MD5] dd247ccd7cc3a13e1c72bb01cf3a816d – Attachments.lnk
- [MD5] 8d2199fa11c6a8d95c1c2b4add70373a – Diagnostic.exe
- [MD5] 04afff1465a223a806774104b652a4f0 – Advanced Monitoring Agent Installer
- [MD5] 6167f03c8b2734c20eb02d406d3ba651 – Decoy Document (defense-video.zip)
- [MD5] e8f3ecc0456fcbbb029b1c27dc1faad0 – attachments.zip
- [MD5] 952cc4e278051e349e870aa80babc755 – Decoy Document (attachments.zip)
- [URL] ws.onehub[.]com/files/7f9dxtt6 – URL to Archive of Atera Agent
- [URL] a.storyblok[.]com/f/253959/x/b92ea48421/form.zip – URL to Archive of Atera Agent
- [URL] a.storyblok[.]com/f/255988/x/5e0186f61d/questionnaire.zip – URL to Archive of SimpleHelp
- [URL] a.storyblok[.]com/f/259791/x/94f59e378f/questionnaire.zip – URL to Archive of SimpleHelp
- [IP] 146.70.149[.]61 – MuddyWater’s SimpleHelp server
- [IP] 146.70.124[.]102 – Suspected MuddyWater’s SimpleHelp server
- [IP] 37.120.237[.]204 – Suspected MuddyWater’s SimpleHelp server
- [IP] 37.120.237[.]248 – Suspected MuddyWater’s SimpleHelp server
- [URL] a.storyblok[.]com/f/259837/x/21e6a04837/defense-video.zip – URL to Archive of Advanced Monitoring Agent
- [URL] a.storyblok[.]com/f/259791/x/91e2f5fa2f/attachments.zip – URL to Archive of Advanced Monitoring Agent
- [URL] https://github.com/deepinstinct/Israel-Cyber-Warfare-Threat-Actors – Additional IOCs on Deep Instinct GitHub
Read more: https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps