The Iranian cyber espionage group, known as MuddyWater, has unveiled a novel backdoor in their latest onslaught, deviating from their habitual practice of utilizing legitimate remote monitoring and management (RMM) software to secure enduring access.
According to independent analyses from cybersecurity stalwarts Check Point and Sekoia, this newly identified malware has been christened BugSleep and MuddyRot, respectively.
“Contrasted with antecedent campaigns, MuddyWater has altered their infection sequence and forsaken the legitimate Atera remote monitoring and management tool (RRM) as a linchpin,” Sekoia articulated in a dossier shared with The Hacker News. “Instead, our observations reveal the deployment of a nascent, undocumented implant.”
Certain aspects of this campaign were initially disclosed by Israeli cybersecurity entity ClearSky on June 9, 2024. The assault targets include nations such as Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
MuddyWater (also recognized as Boggy Serpens, Mango Sandstorm, and TA450) is a state-sponsored threat collective purportedly linked to Iran’s Ministry of Intelligence and Security (MOIS).
Historically, the group’s cyber incursions have been notably consistent, employing spear-phishing tactics via emails to deliver an array of RMM tools such as Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp, and Syncro.
Earlier in April, HarfangLab reported a surge in MuddyWater operations deploying Atera Agent since late October 2023, targeting enterprises across Israel, India, Algeria, Turkey, Italy, and Egypt. The industries affected span airlines, IT firms, telecommunications, pharmaceuticals, automotive manufacturing, logistics, travel, and tourism.
“MuddyWater assigns significant importance to breaching business email accounts as a critical component of their sustained attack strategies,” the French cybersecurity firm remarked at the time.
“These compromised accounts function as strategic assets, amplifying the group’s spear-phishing campaign credibility, facilitating persistent access within victim organizations, and evading detection by blending with authentic network traffic.”
The recent attack methodologies remain consistent, with compromised email accounts from legitimate enterprises used to dispatch spear-phishing emails containing either a direct link or a PDF attachment leading to an Egnyte subdomain, previously exploited by the threat actor to disseminate Atera Agent.
BugSleep, also referred to as MuddyRot, is an x64 implant coded in C, endowed with functionalities to download/upload arbitrary files to/from the compromised system, initiate a reverse shell, and establish persistence. Communications with the command-and-control (C2) server are conducted over a raw TCP socket on port 443.
“The initial communication to the C2 comprises the victim host’s fingerprint, a concatenation of the hostname and username,” Sekoia reported. “If the victim receives a ‘-1’ response, the program halts; otherwise, the malware enters an infinite loop awaiting new commands from the C2.”
The rationale behind MuddyWater’s shift to a bespoke implant remains ambiguous, though it is hypothesized that enhanced scrutiny of RMM tools by security vendors may have influenced this change.
“The escalating activity of MuddyWater in the Middle East, particularly in Israel, underscores the relentless nature of these threat actors, who persist in targeting a diverse array of entities in the region,” Check Point commented.
“Their unwavering use of phishing expeditions, now integrated with a custom backdoor, BugSleep, signifies a noteworthy evolution in their techniques, tactics, and procedures (TTPs).”