MuddyWater Utilizes Game Delay Tactic for Malware Deployment
Recent analyses by cybersecurity researchers reveal that Iranian state-sponsored hackers have adopted a unique method to hide malware, drawing parallels with the classic mobile game Snake. These findings indicate that hackers have been using malware disguised as the game to execute cyberattacks while evading detection.
Described by Eset, the technique introduces execution delays similar to those experienced by players in the game. The malware dropper employed by the group known as MuddyWater incorporates these delays deliberately to thwart antivirus programs that typically scan for quick, malicious actions.
This evolution in tactics signifies a growing sophistication within MuddyWater, which U.S. intelligence agencies have attributed to Iran’s Ministry of Intelligence and Security. The collective’s cyber espionage endeavors, which have been identified since at least 2017, include operations under various aliases such as Earth Vetala and Mango Sandstorm. Their activities have markedly intensified over the past year, targeting a range of sectors.
According to Eset’s observations, the latest wave of attacks reportedly targeted telecommunications, governmental entities, and the oil and energy sectors in Israel and Egypt. Researchers speculate that MuddyWater may be functioning as an initial access broker for other Iranian hacking groups, as evidenced by significant overlaps in operational methodologies.
MuddyWater’s hacking strategies often include delivering phishing emails that feature PDF attachments, directing users to remote management tools hosted on free file-sharing platforms. While the tools in their arsenal have evolved, the consistent use of these tactics renders their activities detectable, which stands as a positive for cybersecurity defenses.
A specific loader, identified as “Fooder,” mimicked the Snake game while utilizing the same delay strategy to obscure its functionality. This loader facilitated the deployment of a previously undocumented malware referred to as “MuddyViper,” designed for memory execution, which potentially accounts for its lack of obfuscation.
This malware establishes persistence through installation in the Windows Startup folder or via a scheduled task that activates the backdoor after system reboots. In addition, MuddyWater has employed credential theft tools termed CE-Notes and LP-Notes, with the latter capable of misleading users through a counterfeit Windows Security dialog.
To maintain stealth, the hackers utilized a reverse SOCKS5 tunnel linked to a proxy machine, effectively concealing their command and control server’s location. Eset has noted that these game-inspired evasion methods, coupled with a diverse toolkit, indicate an increasingly refined approach, even as some remnants of operational immaturity persist.
These tactics align with the MITRE ATT&CK Framework’s tactics of initial access and persistence, providing key insights into the methodologies employed by MuddyWater. As businesses navigate the complexities of cybersecurity risks, awareness of such evolving techniques becomes essential for fortified defenses against potential threats.
