Threats Feed|MuddyWater|Last Updated 13/03/2024|AuthorCertfa Radar|Publish Date07/03/2024

MuddyWater's Covert Phishing Campaign Targets Israeli Government Sectors

  • Actor Motivations: Espionage
  • Attack Vectors: Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

Detected Targets

SectorGovernment Agencies and Services

Extracted IOCs

  • ws.onehub[.]com
  • 3e27d0ba0af54707a212c61f54fcb849
  • 5d013b96a25f0610cd1ac45d61d44d7e
  • 5d61614099d6d567441d15c58d6517b0
  • 6bc591f4e8eb1ea54b4d6defd019bee8
  • a2571577f281eda9548d9047b37cbbb8
  • 0467a0dd4f9e92d54e3d059aed49f282f2ccf40e
  • 05018fa6bed64e912ea6398964a827e6ac980294
  • 71093d587278185fd831783acb2a97444ad661d8
  • a65d4b46ba7fcb3b023f61303e65f0c494b63386
  • bb8647eeaf1acadbb2aa7d67222d4ab8054ac645
  • 0a3f7cefa0edd06425e2361fc5a6122a045d0ff73d5005f2902c449fd4d87e78
  • 4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b
  • 743dcb0efe49a0b6925f3e6d4aa98df262942600046d730dcfe5729fad5c0e4d
  • 7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f
  • 804e92b3ebc37694e76df74773e87771666076fef472163fe14424ba474edb67
  • 85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b
  • af31ac5afd79aee6cb5985640369ca91a0f5929f49e6f4cb6ac947e0056c5d44
  • bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a
  • hxxps://ws.onehub[.]com/files/fssfypeo
  • hxxps://ws.onehub[.]com/files/guicxazo
  • hxxps://ws.onehub[.]com/files/its3pn2g
  • hxxps://ws.onehub[.]com/files/jgt2zodj
  • hxxps://ws.onehub[.]com/files/x68hqy91
  • hxxp://ws.onehub[.]com/files/97lrcyvc
  • hxxp://ws.onehub[.]com/files/gts7uevh
  • hxxp://ws.onehub[.]com/files/rkbziarl
  • hxxp://ws.onehub[.]com/files/v5ww52ne

Tip: 28 related IOCs (0 IP, 1 domain, 9 URL, 0 email, 18 file hash) to this threat have been found.


MuddyWaterMuddyWater Group Adopts New Tactics in Spear-Phishing Campaigns

Source: Malwation - March 2024

Detection (one case): ws.onehub[.]com

MuddyWaterMuddyWater's Renewed Cyber Campaign Targets Israeli Entities

Source: Deep Instinct - November 2023

Detection (one case): ws.onehub[.]com

Static KittenStatic Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors

Source: Anomali - February 2021

Detection (one case): ws.onehub[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.