The Israel National Cyber Directorate (INCD) identified a large-scale phishing campaign targeting Israeli organizations connected to the Iranian-linked group MuddyWater, the directorate said Thursday.
The attacks usually begin with phishers breaching legitimate organizations’ email accounts and using them to send emails that appear authentic, contain proper Hebrew, appropriate content, and attachments with relevant file names, including a Word document containing the malware BlackBeard.
Once a user enables the Word document's content, BlackBeard is installed.
BlackBeard gives the attacker full control of the compromised user’s system, allowing them to map the environment and download additional attack components while bypassing security products and tools.
The compromised user’s email is used to spread the infection both inside and outside the organization, enabling it to reach thousands of recipients.
What is MuddyWater?
MuddyWater operates under the authority of the Iranian Ministry of Intelligence and Security (MOIS), according to the INCD.
Started in 2017, MudddyWater focuses on cyber espionage (CNE) operations. The group operates across multiple countries, including Israel, Turkey, the UAE, the United Kingdom, and the United States, and targets organizations in government, telecommunications, healthcare, academia, and IT services.
MuddyWater’s attacks on Israeli organizations are characterized by the distribution of phishing campaigns, the use of custom-developed tools, and a decentralized command-and-control infrastructure. Several phishing campaigns with similar characteristics were identified in Israeli cyberspace.