July 16, 2024 at 08:09PM
MuddyWater, an Iranian government-linked cyber espionage group, has enhanced its malware with a custom backdoor, targeting Israeli organizations. Utilizing phishing lures, the group sends emails with malicious links, infecting victim devices with BugSleep malware. The evolving tactics and wider targeting pose challenges for detection and increase the group’s potential impact.
Based on the meeting notes, MuddyWater, an Iranian government-backed cyber espionage group, has recently upgraded its malware with a custom backdoor dubbed BugSleep. The group has shifted from an apparent anti-Israel campaign after the Hamas-led October 7 attacks in 2023 to phishing campaigns, targeting Israeli organizations, and beyond. The phishing lures have been using invitations to webinars and online classes and are typically sent from compromised organizational email accounts. Once users click on the phishing link, they are directed to a subdomain of the legitimate file-sharing and collaboration platform Egnyte.com, where they see the name of a legitimate company or person, adding credibility to the scam. In some instances, the displayed name of the sender was associated with prominent figures like Khaled Mashal, the former head of Hamas. Additionally, the emails include links to a non-existent municipal app designed to automate tasks, enhance efficiency, and ensure maximum safety in operations; however, clicking on the link leads to the installation of the BugSleep backdoor instead. This new malware partially replaces MuddyWater’s use of legitimate remote monitoring and management tools and is designed to evade detection by endpoint detection tools. The malware creates several different scheduled tasks on infected devices and includes methods to help with the evasion of detection. It’s important to note that this shift towards more generic lures will likely result in higher-volume attacks, raising concerns about the possibility of increased impact.