Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date07/03/2024

MuddyWater's Covert Phishing Campaign Targets Israeli Government Sectors

  • Actor Motivations: Espionage
  • Attack Vectors: Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionIsrael
Verified

Extracted IOCs

  • ws.onehub[.]com
  • 3e27d0ba0af54707a212c61f54fcb849
  • 5d013b96a25f0610cd1ac45d61d44d7e
  • 5d61614099d6d567441d15c58d6517b0
  • 6bc591f4e8eb1ea54b4d6defd019bee8
  • a2571577f281eda9548d9047b37cbbb8
  • 0467a0dd4f9e92d54e3d059aed49f282f2ccf40e
  • 05018fa6bed64e912ea6398964a827e6ac980294
  • 71093d587278185fd831783acb2a97444ad661d8
  • a65d4b46ba7fcb3b023f61303e65f0c494b63386
  • bb8647eeaf1acadbb2aa7d67222d4ab8054ac645
  • 0a3f7cefa0edd06425e2361fc5a6122a045d0ff73d5005f2902c449fd4d87e78
  • 4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b
  • 743dcb0efe49a0b6925f3e6d4aa98df262942600046d730dcfe5729fad5c0e4d
  • 7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f
  • 804e92b3ebc37694e76df74773e87771666076fef472163fe14424ba474edb67
  • 85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b
  • af31ac5afd79aee6cb5985640369ca91a0f5929f49e6f4cb6ac947e0056c5d44
  • bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a
  • hxxps://ws.onehub[.]com/files/fssfypeo
  • hxxps://ws.onehub[.]com/files/guicxazo
  • hxxps://ws.onehub[.]com/files/its3pn2g
  • hxxps://ws.onehub[.]com/files/jgt2zodj
  • hxxps://ws.onehub[.]com/files/x68hqy91
  • hxxp://ws.onehub[.]com/files/97lrcyvc
  • hxxp://ws.onehub[.]com/files/gts7uevh
  • hxxp://ws.onehub[.]com/files/rkbziarl
  • hxxp://ws.onehub[.]com/files/v5ww52ne
download

Tip: 28 related IOCs (0 IP, 1 domain, 9 URL, 0 email, 18 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Targets Global Sectors with Phishing and BugSleep Backdoor

Source: Check Point - July 2024

Detection (one case): ws.onehub[.]com

MuddyWaterMuddyWater Expands Cyber Espionage Tactics Using Atera Agents Across Multiple Sectors

Source: HarfangLab - April 2024

Detection (six cases): hxxps://ws.onehub[.]com/files/x68hqy91, 4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b, 7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f, 85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b, bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a, ws.onehub[.]com

MuddyWaterMuddyWater Group Adopts New Tactics in Spear-Phishing Campaigns

Source: Malwation - March 2024

Detection (one case): ws.onehub[.]com

MuddyWaterMuddyWater's Renewed Cyber Campaign Targets Israeli Entities

Source: Deep Instinct - November 2023

Detection (one case): ws.onehub[.]com

Static KittenStatic Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors

Source: Anomali - February 2021

Detection (one case): ws.onehub[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.