The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent.
Cybersecurity firm Deep Instinct, which disclosed details of the attacks, said the campaign “exhibits updated TTPs to previously reported MuddyWater activity,” which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
While the latest development marks the first time MuddyWater has been seen using N-Able’s remote monitoring software, it also highlights the fact that largely unchanged methodology continues to provide threat actors with some degree of success.
The findings were also separately confirmed by cybersecurity company Group-IB in a post shared on Twitter.
The state-sponsored group is a cyber espionage crew that’s said to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been active since at least 2017.
Prior attack sequences have entailed sending spear-phishing emails with direct links as well as HTML, PDF, and RTF attachments containing links to archives hosted on various file-sharing platforms that ultimately drop one of the aforementioned remote administration tools.
The latest tactics and tools for Mango Sandstorm and the group known as Static Kitten represent a continuation in some ways and an evolution in other ways.
What’s different this time is the use of a new file-sharing service called StoryBloks to introduce a multi-stage infection vector.
“It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool,” security researcher Simon Kenin said in a Wednesday analysis.
“Once the victim is infected, the MuddyWater operator will connect to the infected host using legitimate remote administration tools and begin reconnaissance on the target.”
The inducement document shown to the victim is an official memorandum of the Israeli Civil Service Commission, which can be publicly downloaded from its official website.
In a further sign of Iran’s fast improving malicious cyber capabilities, Deep Instinct said it also spotted the MuddyWater actors leveraging a new command-and-control (C2) framework called MuddyC2Go, a successor to MuddyC3 and PhonyC2.