Iranian APT Group MuddyWater Develops New Backdoor Malware 'BugSleep'

The notorious Iranian cyber-espionage group, MuddyWater, has shifted its strategy from using legitimate remote management tools to deploying a custom-made backdoor implant known as 'BugSleep.' This pivot marks a significant development in the group's tactics, as they continue to target nations such as Israel, Saudi Arabia, and others in the region.

A New Threat Emerges

As of April, MuddyWater was employing traditional spear-phishing techniques and exploiting internet-exposed servers to infiltrate systems. They typically installed remote management platforms like SimpleHelp or Atera to maintain control. However, by June, the group had transitioned to a new method. They began distributing malicious PDF files containing links to an Egnyte-hosted file, which, when executed, installs the new 'BugSleep' backdoor. Security provider Sekoia has been tracking these developments and noted the change in their latest advisory.

Rapid Development and Frequent Updates

Check Point Software has also observed this shift, noting that MuddyWater has been refining 'BugSleep' since May. The backdoor has seen rapid improvements and bug fixes, although new issues often accompany these updates. According to Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, the group’s swift transition to custom malware likely stemmed from the ineffectiveness of their previous tactics using remote management tools.

Iran's Cyber-Espionage Prowess

MuddyWater has been a significant cyber-threat actor in the Middle East since at least 2018. The group, part of the Iranian Ministry of Intelligence and Security (MOIS), has targeted numerous government agencies and critical industries. Known by various names, including Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, MuddyWater has consistently demonstrated advanced capabilities and persistence in their attacks.

Analyzing BugSleep

The 'BugSleep' backdoor employs several anti-analysis techniques, such as delaying execution to avoid detection and utilizing encryption. However, many instances of the encryption have been improperly implemented. The program also exhibits odd behaviors, such as creating and then deleting unnecessary files, indicating that the code is still under active development.

Historically, MuddyWater created its backdoor programs, such as Powerstats, written in PowerShell. However, increased monitoring of remote management tools by security vendors has likely prompted their shift back to custom malware.

The Use of Egnyte for Malicious Hosting

The group’s recent campaigns have leveraged Egnyte, a file-sharing service, to host their malicious documents. This tactic is becoming more common among attackers, as the trial periods offered by such services provide a temporary but effective platform for delivering payloads.

Persistent Phishing Campaigns

MuddyWater’s phishing campaigns have simplified over time, now using generic themes like webinars and online courses. This approach allows them to scale their attacks, sending hundreds of malicious emails to multiple recipients within the same organization or sector.

A Complex Threat Landscape

MuddyWater may not be a single entity but rather an umbrella group comprising several advanced persistent threat (APT) teams. The US Cybersecurity and Infrastructure Security Agency (CISA) describes the group as a collective of Iranian government-sponsored APT actors. Their methods include spear-phishing, exploiting known vulnerabilities, and using open-source tools to infiltrate sensitive networks.

While primarily focused on Israel and Saudi Arabia, MuddyWater has also targeted other nations, including India, Jordan, Portugal, Turkey, and Azerbaijan. Their ability to provide stolen data and access to the Iranian government, and share it with other malicious actors, underscores the significant threat they pose to global cybersecurity.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.