Iran's MuddyWater phishes Israeli orgs with custom BugSleep backdoor

MuddyWater, an Iranian government-backed cyber espionage crew, has upgraded its malware with a custom backdoor, which it's used to target Israeli organizations.

The gang has been linked to Iran's Ministry of Intelligence and Security (MOIS), which the US sanctioned in 2022 in response to its attacks against Albania and other "cyber-enabled activities against the United States and its allies."

MuddyWater joined an apparent anti-Israel campaign that involved several Iranian groups after the Hamas-led October 7 attacks in 2023. It's since moved on to phishing campaigns that deploy a new backdoor – dubbed BugSleep – according to Check Point Research.

The gang's phishing lures have lately used invitations to attend webinars and online classes. Since February, Check Point has documented more than 50 such mails sent to hundreds of individuals across ten sectors of the Israeli economy.

"Among those are notable phishing campaigns aimed at Israeli municipalities as well as a broader group of airlines, travel agencies, and journalists," Check Point's threat intel team wrote in a report on Monday.

The mails were typically sent from compromised organizational email accounts, which helps trick users into opening them. And while the majority targeted Israel businesses, others were sent to companies in Turkey, Saudi Arabia, India and Portugal.

The emails include a link that leads to a subdomain of the legitimate file-sharing and collaboration platform Egnyte.com. Once users click on the phishing link they see the name of a legitimate company or person, which lends credibility to the scam.

"In a link sent to a transportation company in Saudi Arabia, the displayed name of the owner was Khaled Mashal, the former head of Hamas and one of its prominent leaders," Check Point Research wrote.

• Microsoft: Iran's cybercrews got stuck into Israel days after Hamas attacked – not in tandem
• Uncle Sam sanctions Iran's intel agency over Albanian cyberattack
• DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed
• China's APT41 crew adds a stealthy malware loader and fresh backdoor to its toolbox

In the attacks targeting Israeli municipalities, the emails promoted a non-existent municipal app "designed to automate tasks, enhance efficiency, and ensure maximum safety in operations."

Clicking on the link, however, doesn't download an app. Instead, it drops BugSleep on the victim's machine.

This new, bespoke malware "partially replaces" MuddyWater's use of legitimate remote monitoring and management tools. "We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs)," Check Point suggested. This tactic also makes it harder for security software to pick up signatures of the attack code.

The threat hunters further analyzed the malware, and described it thus:

The samples Check Point analyzed created several different scheduled tasks, triggered every 30 minutes, which also ensure persistence on the infected device.

These include sending stolen filed to the control-and-command server, writing content into a file, deleting tasks and creating new ones, and updating the sleep time and timeout value.

One of the samples analyzed includes methods to help the malware evade detection by endpoint detection tools:

Another version of the malware also include a custom shellcode loader.

And while the crew continues to focus on specific sectors in its malware campaigns, this move away from customized lures to more generic ones will also make it easier for the cyber spies to focus on higher-volume attacks, Check Point warned. ®