July 16, 2024 at 06:19AM
Iranian threat actor MuddyWater has been using a new backdoor, diverging from its usual method of using legitimate remote monitoring and management (RMM) software. This was discovered by cybersecurity firms Check Point and Sekoia, who dubbed the malware BugSleep and MuddyRot. The attacks have targeted various countries and industries, with a shift towards bespoke implants possibly due to increased RMM tool monitoring.
From the meeting notes, the key takeaways are:
1. MuddyWater, an Iranian nation-state actor, is observed to have shifted from using legitimate remote monitoring and management (RMM) software to a never-before-seen backdoor known as BugSleep as part of their recent attack campaign.
2. Cybersecurity firms, including Check Point and Sekoia, have independently discovered and named the new malware strain BugSleep and MuddyRot, respectively.
3. The campaign targets countries such as Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
4. MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is linked to Iran’s Ministry of Intelligence and Security (MOIS).
5. This threat actor has been consistently using spear-phishing lures to deliver various RMM tools and has recently focused on gaining access to business email accounts.
6. The latest attack chains involve compromised email accounts from legitimate companies being used to send spear-phishing messages containing direct links or PDF attachments pointing to an Egnyte subdomain.
7. BugSleep is an x64 implant developed in C with capabilities for file download/upload, launching a reverse shell, and setting up persistence, communicating with a command-and-control (C2) server over raw TCP socket on port 443.
8. MuddyWater’s shift to using a bespoke implant is suspected to be influenced by increased monitoring of RMM tools by security vendors.
9. The increased activity of MuddyWater in the Middle East, particularly in Israel, is highlighted, indicating the persistent nature of the threat actors and their evolving techniques, tactics, and procedures.
10. Check Point and Sekoia encouraged further engagement by mentioning their exclusive content on Twitter and LinkedIn.
These takeaways provide a comprehensive understanding of the recent developments and activities related to MuddyWater’s attack campaign.