Iran's MuddyWater phishes Israeli orgs with custom BugSleep backdoor

India, Turkey, also being targeted by campaign that relies on corporate email compromise

MuddyWater, an Iranian government-backed cyber espionage crew, has upgraded its malware with a custom backdoor, which it's used to target Israeli organizations.

The gang has been linked to Iran's Ministry of Intelligence and Security (MOIS), which the US sanctioned in 2022 in response to its attacks against Albania and other "cyber-enabled activities against the United States and its allies."

MuddyWater joined an apparent anti-Israel campaign that involved several Iranian groups after the Hamas-led October 7 attacks in 2023. It's since moved on to phishing campaigns that deploy a new backdoor – dubbed BugSleep – according to Check Point Research.

The gang's phishing lures have lately used invitations to attend webinars and online classes. Since February, Check Point has documented more than 50 such mails sent to hundreds of individuals across ten sectors of the Israeli economy.

"Among those are notable phishing campaigns aimed at Israeli municipalities as well as a broader group of airlines, travel agencies, and journalists," Check Point's threat intel team wrote in a report on Monday.

The mails were typically sent from compromised organizational email accounts, which helps trick users into opening them. And while the majority targeted Israel businesses, others were sent to companies in Turkey, Saudi Arabia, India and Portugal.

The emails include a link that leads to a subdomain of the legitimate file-sharing and collaboration platform Egnyte.com. Once users click on the phishing link they see the name of a legitimate company or person, which lends credibility to the scam.

"In a link sent to a transportation company in Saudi Arabia, the displayed name of the owner was Khaled Mashal, the former head of Hamas and one of its prominent leaders," Check Point Research wrote.

In the attacks targeting Israeli municipalities, the emails promoted a non-existent municipal app "designed to automate tasks, enhance efficiency, and ensure maximum safety in operations."

Clicking on the link, however, doesn't download an app. Instead, it drops BugSleep on the victim's machine.

This new, bespoke malware "partially replaces" MuddyWater's use of legitimate remote monitoring and management tools. "We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs)," Check Point suggested. This tactic also makes it harder for security software to pick up signatures of the attack code.

The threat hunters further analyzed the malware, and described it thus:

BugSleep main logic is similar in all versions, starting with many calls to the Sleep API to evade sandboxes and then it loads the APIs it needs to run properly. It then creates a mutex (we observed "PackageManager" and "DocumentUpdater" in our samples) and decrypts its configuration which includes the C&C IP address and port. All the configurations and strings are encrypted in the same way, where every byte is subtracted with the same hardcoded value.

The samples Check Point analyzed created several different scheduled tasks, triggered every 30 minutes, which also ensure persistence on the infected device.

These include sending stolen filed to the control-and-command server, writing content into a file, deleting tasks and creating new ones, and updating the sleep time and timeout value.

One of the samples analyzed includes methods to help the malware evade detection by endpoint detection tools:

First, the malware enables the MicrosoftSignedOnly flag of the ProcessSignaturePolicy structure to prevent the process from loading images that are not signed by Microsoft. This prevents other processes from injecting DLLs into the process.

Next, it enables the ProhibitDynamicCode flag of the ProcessDynamicCodePolicy structure to prevent the process from generating dynamic code or modifying existing executable code. Enabling ProcessDynamicCodePolicy may be useful for protecting it from EDR solutions that hook userland API functions to inspect programs' intents.

Another version of the malware also include a custom shellcode loader.

And while the crew continues to focus on specific sectors in its malware campaigns, this move away from customized lures to more generic ones will also make it easier for the cyber spies to focus on higher-volume attacks, Check Point warned. ®

More about

TIP US OFF

Send us news


Other stories you might like