The Iranian nation-state actor known as MuddyWater has been observed using a never-before-seen backdoor as part of a recent attack campaign, shifting away from its well-known tactic of deploying legitimate remote monitoring and management (RMM) software for maintaining persistent access.
That’s according to independent findings from cybersecurity firms Check Point and Sekoia, which have codenamed the malware strain BugSleep and MuddyRot, respectively.
“Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RRM) as a validator,” Sekoia said in a report shared with The Hacker News. “Instead, we observed that they used a new and undocumented implant.”
Some elements of the campaign were first shared by Israeli cybersecurity company ClearSky on June 9, 2024. Targets include countries like Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal
MuddyWater (aka Boggy Serpens, Mango Sandstorm, and TA450) is a state-sponsored threat actor that’s assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
Cyber attacks mounted by the group have been fairly consistent, leveraging spear-phishing lures in email messages to deliver various RMM tools like Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp, and Syncro.
Earlier this April, HarfangLab said it noticed an uptick in MuddyWater campaigns delivering Atera Agent since late October 2023 to businesses across Israel, India, Algeria, Turkey, Italy, and Egypt. The sectors targeted include airlines, IT companies, telecoms, pharma, automotive manufacturing, logistics, travel, and tourism.
“MuddyWater places a high priority on gaining access to business email accounts as part of their ongoing attack campaigns,” the French cybersecurity firm noted at the time.
“These compromised accounts serve as valuable resources, enabling the group to enhance the credibility and effectiveness of their spear-phishing efforts, establish persistence within targeted organizations, and evade detection by blending in with legitimate network traffic.”
The latest attack chains are no different in that compromised email accounts belonging to legitimate companies are used to send spear-phishing messages that either contain a direct link or a PDF attachment pointing to an Egnyte subdomain, which has been previously abused by the threat actor to propagate Atera Agent.
BugSleep, aka MuddyRot, is an x64 implant developed in C that comes equipped with capabilities to download/upload arbitrary files to/from the compromised host, launch a reverse shell, and set up persistence. Communications with a command-and-control (C2) server take place over a raw TCP socket on port 443.
“The first message to be sent to the C2 is the victim host fingerprint, which is the combination of the hostname and the username joined by a slash,” Sekoia said. “If the victim received ‘-1,’ the program stops, otherwise the malware enters in an infinite loop to await new order from the C2.”
It’s currently not clear why MuddyWater has switched to using a bespoke implant, although it’s suspected that the increased monitoring of RMM tools by security vendors may have played a part.
“The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors, who continue to operate against a wide variety of targets in the region,” Check Point said.
“Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics, and procedures (TTPs).”
