Priya PatelTLDR
- MuddyWater, an Iranian cyber-espionage group, has developed a new backdoor implant called BugSleep.
- The group has shifted from using legitimate remote-management tools to dropping a custom-made backdoor implant.
Iranian cyber-espionage group MuddyWater has transitioned from controlling infected systems with legitimate remote-management software to dropping a custom-made backdoor implant called BugSleep. Previously, the group targeted Internet-exposed servers or used spear phishing tactics, ultimately installing remote management platforms like SimpleHelp or Atera. However, in June, MuddyWater began using a new attack chain involving a malicious PDF file hosted on Egnyte that installs the BugSleep backdoor. Check Point Software has observed that MuddyWater has been continuously improving BugSleep since May, introducing new features and bug fixes. The backdoor utilizes anti-analysis tactics and encryption, although it still contains some bugs such as improper execution of encryption and unnecessary file creation and deletion. The development of BugSleep suggests that the code is still under construction.
MuddyWater has been a significant threat actor in the Middle East since at least 2018, targeting government agencies and critical industries. The group is associated with the Iranian Ministry of Intelligence and Security and has been identified by various aliases. The complexity of the group’s phishing campaigns has decreased, focusing on generic themes like webinars, allowing them to increase the volume of attacks. MuddyWater’s phishing campaigns are medium in sophistication but persistent and aggressive in targeting specific sectors. While the group primarily targets organizations in Israel and Saudi Arabia, they have also attacked other nations. The US Cybersecurity and Infrastructure Security Agency describes MuddyWater as a group of Iranian government-sponsored APT actors engaging in spearphishing and exploiting vulnerabilities to gain access to sensitive networks.
