July 15, 2024 at 02:24PM
The Iranian-backed MuddyWatter hacking group has developed a new custom malware called BugSleep. Analysts at Check Point Research discovered the malware being distributed via well-crafted phishing lures. This new backdoor, actively developed and partially distributed, signals a shift from the group’s previous tactics. MuddyWatter’s cyber-espionage campaigns target various global industries.
Based on the meeting notes provided, the key takeaways are:
1. The Iranian-backed MuddyWatter hacking group has partially shifted to using a new custom-tailored malware named BugSleep, which is actively being developed and distributed through well-crafted phishing lures and targeting a wide range of organizations globally.
2. The campaign pushes the malware via phishing emails disguised as invitations to webinars or online courses, and the malicious payloads are hosted on the Egnyte secure file-sharing platform.
3. BugSleep comes with a custom malware loader designed to inject it into the active processes of various applications, including Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.
4. MuddyWatter has switched from using legitimate Remote Management Tools (RMM) to maintain access to victims’ networks to the new BugSleep malware.
5. The MuddyWatter group, also tracked as Earth Vetala, MERCURY, Static Kitten, and Seedworm, has been active since 2017 and is known for targeting a wide range of industry sectors, including telecommunications, government (IT services), and oil industry organizations, with a focus on Middle Eastern and Israeli targets.
6. In January 2022, the U.S. Cyber Command officially linked MuddyWatter to Iran’s Ministry of Intelligence and Security (MOIS), the country’s leading government intelligence agency.
It’s important to keep abreast of these developments to ensure appropriate measures are taken to protect against potential cyber threats.