The Iranian nation-state actor MuddyWater has been observed using a novel backdoor in a recent attack campaign, marking a departure from its usual method of deploying legitimate remote monitoring and management (RMM) software for persistent access. This shift has been reported by cybersecurity firms Check Point and Sekoia, who have named the new malware strain BugSleep and MuddyRot, respectively.
“Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RMM) as a validator,” Sekoia stated in a report shared with The Hacker News. “Instead, we observed that they used a new and undocumented implant.”
Israeli cybersecurity company ClearSky first reported some elements of this campaign in June. The targets include countries such as Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is a state-sponsored threat actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group has consistently used spear-phishing lures in emails to deploy various RMM tools, including Atera Agent, RemoteUtilities, ScreenConnect, SimpleHelp, and Syncro.
In April, HarfangLab noted an increase in MuddyWater campaigns deploying Atera Agent since late October 2023, targeting businesses across Israel, India, Algeria, Turkey, Italy, and Egypt. The targeted sectors include airlines, IT companies, telecoms, pharmaceuticals, automotive manufacturing, logistics, travel, and tourism.
“MuddyWater places a high priority on gaining access to business email accounts as part of their ongoing attack campaigns,” the French cybersecurity firm stated. “These compromised accounts serve as valuable resources, enabling the group to enhance the credibility and effectiveness of their spear-phishing efforts, establish persistence within targeted organizations, and evade detection by blending in with legitimate network traffic.”
The latest attack chains continue this pattern, with compromised email accounts from legitimate companies sending spear-phishing messages that contain either a direct link or a PDF attachment pointing to an Egnyte subdomain, previously abused by the threat actor to propagate Atera Agent.
BugSleep, also known as MuddyRot, is an x64 implant developed in C with capabilities to download/upload arbitrary files to/from the compromised host, launch a reverse shell, and establish persistence. Communication with a command-and-control (C2) server occurs over a raw TCP socket on port 443.
“The first message sent to the C2 is the victim host fingerprint, which is the combination of the hostname and the username joined by a slash,” Sekoia reported. “If the victim received ‘-1,’ the program stops, otherwise the malware enters an infinite loop to await new orders from the C2.”
The reason for MuddyWater’s switch to a bespoke implant remains unclear, although increased monitoring of RMM tools by security vendors may have influenced this change.
“The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors, who continue to operate against a wide variety of targets in the region,” Check Point noted. “Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics, and procedures (TTPs).”