An Iranian cyber-espionage group known as MuddyWater has recently made a significant change in its tactics, moving away from using legitimate remote-management software to control infected systems and instead implementing a custom-made backdoor implant. This shift in strategy was noted by security researchers from Sekoia and Check Point Software.
Previously, MuddyWater would infect systems by either targeting Internet-exposed servers or through spear phishing. This would ultimately lead to the installation of remote management platforms such as SimpleHelp or Atera. However, in June, the group transitioned to a new attack chain. They began sending out malicious PDF files with embedded links that would direct users to a file stored on the Egnyte service. This file would then install the new backdoor, which has been named MuddyRot by Sekoia.
Check Point Software has identified this new backdoor implant as BugSleep, which MuddyWater has been using since May. According to Sergey Shykevich, the threat intelligence group manager at Check Point Software, MuddyWater has been actively improving BugSleep by adding new features and fixing bugs. However, in the rush to make this transition, the group may have released an incomplete version of the malware.
The MuddyWater threat group, which is believed to be part of the Iranian Ministry of Intelligence and Security (MOIS), has been conducting malicious cyber attacks since at least 2018. Various government agencies and critical industries have been targeted by MuddyWater, as detailed in a 2022 advisory published jointly by US and UK government agencies. The group has also been referred to by other cybersecurity firms as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.
The BugSleep backdoor utilized by MuddyWater employs typical anti-analysis techniques such as delaying execution and encryption to avoid detection. However, there have been issues with the implementation of encryption, as well as other bugs in the code that indicate it is still under development. This is a departure from MuddyWater’s previous approach of using remote management software, such as their Powerstats backdoor written in PowerShell.
The decision to revert to using a homemade implant for their initial infection stage in at least one campaign remains a mystery. It is speculated that increased monitoring of remote management tools by security vendors may have influenced this change. Additionally, the use of file-sharing services like Egnyte to host malicious documents has become more popular among attackers, providing them with a platform during an attack.
The phishing campaigns conducted by MuddyWater have become more streamlined, focusing on generic themes such as webinars and online courses to send out a higher volume of attacks. Check Point Software describes their sophistication level as medium, but notes that they are highly persistent and aggressive in their targeting of specific sectors or organizations.
While MuddyWater is often identified as a single threat group, some researchers have described it as an “umbrella of APT groups.” The range of tactics employed by MuddyWater includes spear phishing, exploiting known vulnerabilities, and using open-source tools to gain access to sensitive networks. The group primarily targets organizations in Israel and Saudi Arabia but has also conducted attacks in other countries such as India, Jordan, Portugal, Turkey, and Azerbaijan.
In conclusion, MuddyWater’s shift towards using a custom-made backdoor implant and their ongoing development of malware indicates a willingness to adapt their tactics in response to increased scrutiny and monitoring by security researchers and vendors. Their continued focus on conducting cyber attacks in the Middle East and beyond underscores the persistent threat posed by this Iranian cyber-espionage group.