New Malware Strain ‘BugSleep’ Identified in MuddyWater Attacks
The Iranian cyber espionage group known as MuddyWater has been linked to a new and sophisticated backdoor malware strain, dubbed ‘BugSleep’, marking a significant shift in their attack methodology. Traditionally known for employing legitimate remote monitoring and management (RMM) software to maintain access to compromised systems, the group has deviated from this approach in their most recent campaign, now utilizing a custom-developed implant.
The new findings, disclosed by independent cybersecurity firms Check Point and Sekoia, suggest MuddyWater has altered its infection strategy, abandoning the once-favored Atera tool and instead implementing a novel implant that is currently undocumented. The report from Sekoia highlighted that this new approach signifies a potential escalation in tactics, as the group moves towards utilizing less recognizable and more tailored malware.
The targets of these recent cyber operations include a diverse range of countries, notably Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal. These nations have witnessed a resurgence in MuddyWater activity, which often involves spear-phishing campaigns aimed at business email accounts. This method has allowed the threat actors to effectively bypass security measures by masquerading their malicious activities within seemingly legitimate network operations.
MuddyWater, also referred to as Boggy Serpens or TA450, is believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS). A consistent pattern of delivering various RMM tools has characterized their previous attacks, leveraging social engineering tactics to compromise organizations in sectors ranging from telecommunications to logistics.
Cybersecurity firm HarfangLab reported a notable uptick in MuddyWater activities since late October 2023, with campaigns observed across Israel, India, Algeria, Turkey, Italy, and Egypt. These operations have heavily targeted sectors like finance, technology, and transport, showcasing the group’s versatility in choosing targets that align with their strategic goals.
In the latest attack configurations, the new BugSleep implant operates by establishing a communication channel with a command and control (C2) server, functioning over a TCP socket on port 443. This allows for file manipulations, reverse shell operations, and persistence mechanisms, which are essential for prolonging access once a system has been infiltrated. The implant collects a unique identifier from the infected host, facilitating continuous interaction with the C2 server unless disrupted.
The switch to a bespoke malware solution appears to be a direct response to heightened scrutiny faced by RMM tools from cybersecurity vendors. As organizations globally intensify their defensive strategies, the transition may reflect an effort by MuddyWater to evade detection and maintain operational stealth.
This evolution in tactics and tools illustrates the increasing sophistication that can be expected from state-sponsored threat actors. The use of spear-phishing to exploit compromised email accounts aligns with tactics outlined in the MITRE ATT&CK Framework, particularly emphasizing initial access and persistence as key components of their operational strategy.
Overall, the emergence of BugSleep within MuddyWater’s arsenal highlights the continually evolving threats facing organizations worldwide. Cybersecurity professionals and business leaders are urged to stay vigilant and update their defensive postures to counteract such sophisticated attack vectors. The heightened activities within regions of interest underscore the persistent nature of these threat actors as they pursue an array of targets in a highly strategic manner.
