Iranian nation state actor known as MuddyWater has seen the use of a never-before-seen backdoor in a recent attack campaign, a departure from the well-known tactic of deploying legitimate remote monitoring and management (RMM) software to maintain constant access.
This follows independent findings from cybersecurity firms Check Point and Sekoia, which codenamed the malware strain BugSleep and MuddyRotrespectively.
“Compared to previous campaigns, this time MuddyWater changed the chain of infection and did not rely on Atera’s legitimate Remote Monitoring and Management (RRM) tool as a validator,” Sekoia said. said in a report shared with The Hacker News. “Instead, we noticed that they were using a new and undocumented implant.”
Some elements of the campaign were the first common Israeli Cyber Security Company ClearSky Jun 9, 2024 Targets include Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel and Portugal.
MuddyWater (aka Boggy Serpens, Mango Sandstorm and TA450) is a state threat organization believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS).
Cyberattacks by the group have been fairly consistent, using phishing lures in email messages to deliver various RMM tools like Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp and Syncro.
Earlier this April, HarfangLab said it had seen an increase in the number of MuddyWater companies supplying Atera Agent to businesses in Israel, India, Algeria, Turkey, Italy and Egypt since the end of October 2023. Target sectors include airlines, IT companies, telecommunications, pharmaceuticals, automotive, logistics, travel and tourism.
French cybersecurity firm “MuddyWater places a high priority on gaining access to business email accounts as part of its ongoing attack campaigns.” noted at that time.
“These compromised accounts serve as valuable resources that allow the group to increase the credibility and effectiveness of its phishing efforts, establish resilience within targeted organizations, and avoid detection by blending in with legitimate network traffic.”
The latest chain of attacks is no different in that compromised email accounts belonging to legitimate companies are used to send phishing emails containing a direct link or PDF attachment pointing to an Egnyte subdomain that was previously abused threat actor to distribute Atera Agent.
BugSleep, aka MuddyRot, is an x64 implant developed in C that is equipped with capabilities to download/upload arbitrary files to/from a compromised host, run a reverse shell, and configure persistence. Communication with the management server (C2) is via a raw TCP socket on port 443.
“The first message sent to C2 is the victim’s fingerprint, which is a combination of hostname and username joined by a slash,” Sekoya said. “If the victim received a ‘-1’, the program terminates, otherwise the malware enters an infinite loop to wait for a new command from C2.”
It is unclear at this time why MuddyWater switched to using a custom implant, although it is suspected that increased monitoring of RMM tools by security vendors may have played a role.
“MuddyWater’s increased activity in the Middle East, particularly in Israel, underscores the persistent nature of these threats, which continue to operate against a wide variety of targets in the region,” Check Point. said.
“Their consistent use of phishing campaigns, which now include their own backdoor, BugSleep, represents a marked evolution in their methods, tactics and procedures (TTP).”
