Cybersecurity firm Deep Instinct recently observed a new spear-phishing campaign from the Iranian state-sponsored group “Muddy Water” targeting two entities in Israel using updated TTPs. In the past, Muddy Water has used PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms. These archives contain installers for various remote administration tools including ScreenConnect, RemoteUtilities, Syncro, etc. While in the latest campaign, the threat actors are reusing these tools, researchers note the utilization of a new file-sharing service called “Storyblok,” which contains a new multi-stage infection vector, including hidden files, an LNK file for initiating the infection, as well as an executable file that is designed to unhide a decoy document while executing a remote administration tool dubbed “Advanced Monitoring Agent.”

The end goal of this campaign is to gather intelligence on Israeli entities, which can be of benefit to Hamas during the ongoing conflict. Although the initial infection vector is unclear, researchers suspect the latest campaign was likely initiated with a spear-phishing email. In this case, the email contains an archive hosted at “a.storyblok[.]com” masquerading as a “defense-video.zip” to lure recipients into opening it. Inside the archive are hidden folders as well as an LNK file named “Attachments” which when opened executes a file from one of the hidden directories. This file then initiates the execution of other executables, leading to the deployment of the remote monitoring tool. At the same time, researchers note that a decoy document is opened on a new Windows Explorer window to divert the victim’s attention. “The decoy document is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from their website,” note researchers.

The development comes after FBI Director Christopher Wray stated that the U.S. is preparing for a potential onslaught of Iranian cyberattacks. So far Israel has been the sole target of cyberattacks in the ongoing Israeli-Hamas conflict. However, Wray expects the U.S. and other nations to be targets of the Hamas-aligned regime’s cyber operatives in retaliation for their support of the Israeli government. In short, being up to date on the TTPs employed by nation-states like Muddy Water can be crucial in safeguarding against potential attacks. Read more at Deep Instinct.