According to a recent report by Check Point Research (CPR), the Iranian threat group MuddyWater has significantly increased its activities against Israel and is deploying a new, previously undocumented backdoor campaign.
Key Findings:
- MuddyWater, affiliated with the Ministry of Intelligence and Security (MOIS), has increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023, with parallel activities against targets in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal.
- The threat actors use phishing campaigns sent from compromised organizational email accounts, leading to the deployment of legitimate Remote Management Tools such as Atera Agent and Screen Connect.
- MuddyWater campaigns have also led to the deployment of a new, previously undocumented tailor-made backdoor dubbed BugSleep, specifically targeting organizations in Israel.
- BugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the compromised machine and the C&C server, with continuous improvements and bug fixes.
Overview:
CPR has been tracking MuddyWater since 2019, and the group has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. In addition to their usual phishing campaigns, MuddyWater has begun deploying the new BugSleep backdoor, specifically targeting organizations in Israel.
Campaign Targets:
The campaigns are targeting various sectors, including governments, travel agencies, journalists, and healthcare organizations. Most of the emails are targeted at Israeli companies, although others were aimed at organizations in Turkey, Saudi Arabia, India, and Portugal.
Notable Developments:
- The usage of BugSleep marks a notable development in MuddyWater’s techniques, tactics, and procedures (TTPs).
- The group has been using phishing campaigns sent from compromised email accounts, leading to the deployment of legitimate Remote Management Tools (RMM) such as Atera Agent and Screen Connect.
- Since February 2024, CPR has identified over 50 spear phishing emails, targeting more than 10 sectors, including municipalities, journalists, and healthcare.
Conclusion:
The deployment of BugSleep by MuddyWater reflects a significant development in the group’s TTPs, and organizations in Israel and other targeted countries should be aware of this new threat. It is essential to remain vigilant and take necessary measures to prevent falling victim to these phishing campaigns and backdoor deployments.
Source:
Check Point Research (CPR) – “MuddyWater Threat Group Deploys New BugSleep Backdoor”
