MuddyWater eN-Able spear-phishing with new TTPs

Executive summary: 摘要:
  • Deep Instinct’s Threat Research team has identified a new campaign from the “MuddyWater” group
    Deep Instinct 的威胁研究团队已经确定了来自“MuddyWater”组的新活动
  • The campaign has been observed attacking two Israeli targets
  • The campaign exhibits updated TTPs to previously reported MuddyWater activity
    该活动展示了先前报告的 MuddyWater 活动的更新的 TTP

MuddyWater eN-Able spear-phishing with new TTPs
Figure 1: Campaign overview
图 1:广告系列概览

Introduction 介绍

Previous research showed that MuddyWater has sent spear-phishing emails, starting back in 2020, with direct links, as well as PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms.
先前的研究表明,MuddyWater 早在 2020 年就发送了鱼叉式网络钓鱼电子邮件,其中包含直接链接,以及 PDF、RTF 和 HTML 附件,其中包含指向托管在各种文件共享平台上的档案的链接。

Those archives contained installers for various legitimate remote administration tools.

Before launching the new campaign during the Israel-Hamas war, MuddyWater reused previously known remote administration tools, utilizing a new file-sharing service called “Storyblok.”
在以色列-哈马斯战争期间发起新活动之前,MuddyWater 利用名为“Storyblok”的新文件共享服务,重复使用了以前已知的远程管理工具。

On October 30th Deep Instinct identified two archives hosted on “Storyblok” containing a new multi-stage infection vector. It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool.
10 月 30 日,Deep Instinct 确定了托管在“Storyblok”上的两个档案,其中包含一个新的多阶段感染载体。它包含隐藏文件,启动感染的LNK文件,以及旨在在执行高级监视代理(远程管理工具)时取消隐藏诱饵文档的可执行文件。

This is the first public report about MuddyWater utilizing this remote administration tool.

The Multi-stage Social Engineering Campaign

While Deep Instinct could not verify the spreading mechanism of the new campaign, it most likely starts with a spear-phishing email, similar to previous campaigns.
虽然 Deep Instinct 无法验证新活动的传播机制,但它很可能从鱼叉式网络钓鱼电子邮件开始,类似于以前的活动。

The content of the email lures the victim into downloading an archive hosted at “a.storyblok[.]com”

In this analysis, we examine the “” file.

When the archive is extracted, several folders must be navigated until a LNK shortcut, which looks like another folder named “Attachments,” is found:
提取存档时,必须导航多个文件夹,直到找到 LNK 快捷方式,该快捷方式类似于另一个名为“附件”的文件夹:

MuddyWater eN-Able spear-phishing with new TTPs
Figure 2: LNK Shortcut 图 2:LNK 快捷方式

However, there are additional hidden folders and files extracted from the archive:

MuddyWater eN-Able spear-phishing with new TTPs
Figure 3: Hidden folders 图 3:隐藏文件夹

When the victim opens the LNK file, the infection chain starts.
当受害者打开 LNK 文件时,感染链开始。

By examining the LNK file, we can see that it executes an executable from one of the hidden directories:
通过检查 LNK 文件,我们可以看到它从其中一个隐藏目录执行可执行文件:

MuddyWater eN-Able spear-phishing with new TTPs
Figure 4: LNK command line arguments
图 4:LNK 命令行参数

The file “Diagnostic.exe” has been used in both archives Deep Instinct observed. The purpose of this file is to execute another executable called “Windows.Diagnostic.Document.EXE,” which is located in the hidden directory named “.end” under a “Windows.Diagnostic.Document” hidden directory.
文件“Diagnostic.exe”已在两个档案中使用,Deep Instinct观察到。此文件的用途是执行另一个名为“Windows.Diagnostic.Document.EXE”的可执行文件,该可执行文件位于“Windows.Diagnostic.Document”隐藏目录下名为“.end”的隐藏目录中。

The file named “Windows.Diagnostic.Document.EXE” is a signed, legitimate installer for “Advanced Monitoring Agent.”

In addition to executing the remote administration tool, “Diagnostic.exe” also opens a new Windows Explorer window of the hidden “Document” folder. This is done to fool the victim that opened the LNK file into thinking that it was indeed a folder.
除了执行远程管理工具外,“Diagnostic.exe”还会打开隐藏的“文档”文件夹的新 Windows 资源管理器窗口。这样做是为了欺骗打开 LNK 文件的受害者,让他们认为它确实是一个文件夹。

The decoy document is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from their website.

The memo describes what to do in case a government worker expresses opinions against the Israeli state on social networks:

MuddyWater eN-Able spear-phishing with new TTPs
Figure 5: Decoy document 图 5:诱饵文档

Conclusion 结论

MuddyWater continues to attack Israeli targets in various ongoing campaigns.

In this campaign, MuddyWater employs updated TTPs. These include a new public hosting service, employing a LNK file to initiate the infection, and utilizing intermediate malware that mimics the opening of a directory while executing a new remote administration tool.
在这次活动中,MuddyWater 采用了更新的 TTP。其中包括新的公共托管服务,使用LNK文件来启动感染,以及利用中间恶意软件在执行新的远程管理工具时模仿目录的打开。

After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target.
受害者被感染后,MuddyWater 操作员将使用合法的远程管理工具连接到受感染的主机,并开始对目标进行侦察。

After the reconnaissance phase, the operator will likely execute PowerShell code which will cause the infected host to beacon to a custom C2 server.
在侦测阶段之后,操作员可能会执行 PowerShell 代码,这将导致受感染的主机信标到自定义 C2 服务器。

MuddyWater has used PhonyC2 in the past. However, Deep Instinct recently observed MuddyWater using a new C2 framework named MuddyC2Go – a detailed blog will be published soon, stay tuned.
MuddyWater 过去曾使用过 PhonyC2。然而,Deep Instinct 最近使用一个名为 MuddyC2Go 的新 C2 框架观察了 MuddyWater——详细的博客将很快发布,敬请期待。

IOCs: 国际奥委会:

File 文件


Description 描述


Archive containing Atera Agent
包含 Atera Agent 的存档


Atera Agent Installer Atera 代理安装程序


Archive containing Atera Agent
包含 Atera Agent 的存档


Archive containing Atera Agent
包含 Atera Agent 的存档


Atera Agent Installer Atera 代理安装程序


Archive containing SimpleHelp
包含 SimpleHelp 的存档


SimpleHelp Installer SimpleHelp 安装程序

146cc3a1a68be349e70b79f9115c496b 防御视频.zip


Attachments.lnk 附件.lnk


Diagnostic.exe 诊断 .exe


Advanced Monitoring Agent Installer
Advanced Monitoring Agent 安装程序


Decoy Document (

e8f3ecc0456fcbbb029b1c27dc1faad0 附件 .zip


Decoy Document (
诱饵文档(附件 .zip)

Network 网络


Description 描述


URL to Archive of Atera Agent
Atera Agent 存档的 URL


URL to Archive of Atera Agent
Atera Agent 存档的 URL


URL to Archive of Atera Agent
Atera Agent 存档的 URL


URL to Archive of SimpleHelp
SimpleHelp 存档的 URL


MuddyWater’s SimpleHelp server
MuddyWater 的 SimpleHelp 服务器


Suspected MuddyWater’s SimpleHelp server
疑似 MuddyWater 的 SimpleHelp 服务器


Suspected MuddyWater’s SimpleHelp server
疑似 MuddyWater 的 SimpleHelp 服务器


Suspected MuddyWater’s SimpleHelp server
疑似 MuddyWater 的 SimpleHelp 服务器


URL to Archive of Advanced Monitoring Agent
Advanced Monitoring Agent 存档的 URL


URL to Archive of Advanced Monitoring Agent
Advanced Monitoring Agent 存档的 URL

Additional IOCs regarding MuddyWater can be found in our GitHub page:
有关 MuddyWater 的其他 IOC 可以在我们的 GitHub 页面中找到:


原文始发于Simon Kenin:MuddyWater eN-Able spear-phishing with new TTPs

版权声明:admin 发表于 2023年11月11日 下午2:40。
转载请注明:MuddyWater eN-Able spear-phishing with new TTPs | CTF导航