Iranian threat group MuddyWater, linked to MOIS, has escalated attacks on Israel since October 2023, mirroring actions against Saudi Arabia, Turkey, Azerbaijan, India, and Portugal. The group deploys phishing campaigns, often from compromised accounts, to install legitimate RMM tools like Atera Agent and Screen Connect.
Recently, they introduced a new backdoor, BugSleep, specifically targeting Israeli organizations for command execution and file transfer, demonstrating ongoing development and refinement.
MuddyWater has intensified phishing campaigns since February 2024, targeting over 10 sectors with tailored lures and generic webinar invitations from compromised accounts.
Initially focusing on specific industries like municipalities, they now employ a broader approach with English-language lures and payloads like RMM tools and the new BugSleep backdoor, indicating a shift towards more scalable and potentially higher-impact attacks.
MuddyWater leverages Egnyte subdomains to deploy BugSleep malware:
MuddyWater leverages Egnyte, a secure file-sharing platform, to distribute BugSleep malware, where attackers create Egnyte subdomains mimicking target company names, enhancing phishing email legitimacy.
Shared links display seemingly authentic sender names, like “Khaled Mashal” for a Saudi transportation company, to deceive recipients into opening malicious archive files containing the BugSleep backdoor.
BugSleep is a rapidly evolving malware used by MuddyWater to establish persistent backdoors on compromised systems by employing anti-analysis techniques, simple encryption for communication and configuration, and a basic command-and-control structure.
The malware is designed to steal files, execute commands, and maintain persistence through scheduled tasks, while recent versions have incorporated evasion tactics to hinder EDR detection, demonstrating the attacker’s adaptability and focus on maintaining stealthy operations.
The BugSleep loader employs a custom injector targeting specific processes by decrypting shellcode using a hardcoded shift and injecting it into the target process using the WriteProcessMemory and CreateRemoteThread APIs.
It exhibits several coding errors, including incorrect encryption/decryption logic, unnecessary file operations, and unencrypted API names, which suggest rushed development or code reuse without proper understanding, potentially impacting malware functionality and evasive capabilities.
According to CheckPoint Research, MuddyWater campaigns target a broad spectrum of organizations, including government bodies, municipalities, media outlets, and travel agencies, primarily in Israel but also in Turkey, Saudi Arabia, India, and Portugal.
The group employs phishing emails, using lures like Azerbaijani-language PDFs to entice victims into downloading malware, where the attackers leverage compromised accounts to distribute malicious payloads, indicating a potential supply chain attack vector.