Clement Brako Akomea Table of Contents
In a new development, the Iranian-backed MuddyWater hacking group has introduced BugSleep, a custom-tailored malware implant, significantly increasing their targeted attacks.
Short Summary:
- Increased MuddyWater activities against Israel post-October 2023 Israel-Hamas war.
- Switch to phishing campaigns from compromised organizational email accounts.
- Deployment of BugSleep, a new backdoor malware, continuously evolving in its functionality.
In the ever-evolving world of cyber espionage, the MuddyWater hacking group, affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has taken another step forward by deploying a new malware, BugSleep.
Since October 2023, following the Israel-Hamas war, MuddyWater has intensified its operations significantly, targeting a diverse array of sectors in Israel and other countries.
The group’s modus operandi often involves spear-phishing campaigns, where phishing emails are sent from compromised organizational accounts, leading to the deployment of various malicious tools.
An analyst from Check Point Research (CPR) noted,
“We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs). These updates, occurring within short intervals between samples, suggest a trial-and-error approach.”
Campaign Targets and Attack Methods
The latest MuddyWater campaign predominantly targets government entities, municipalities, airlines, travel agencies, and media outlets in Israel. However, Turkey, Saudi Arabia, India, and Portugal entities have also been targeted.
Between February 2024 and now, over 50 spear-phishing emails were identified targeting more than ten sectors, affecting hundreds of recipients.
MuddyWater targets organizations in typical campaigns by sending emails containing fine-tuned lures to appeal to specific sectors. For example, in one campaign aimed at municipalities, emails suggested downloading a new app designed for municipal operations:
Subject: Special Offer: New App for Municipalities – Limited Time Only!
Dear Customer, in celebration of International Mother’s Day, we are excited to announce the launch of our latest municipal app. This innovative tool is meticulously designed to automate tasks, enhance efficiency, and ensure maximum safety in operations. For today only, we are offering this app as a free download. Empower your municipality to streamline workflows and securely prepare for future tasks. Download Now
Best regards, [Redacted]
Phishing techniques have evolved over time. In current campaigns, the group uses more generic-themed but well-crafted phishing lures, like invitations to webinars and online courses.
This approach allows for the reusability of lures across different targets and regions, concealing the true intent behind otherwise innocuous communication.
BugSleep Infection Chain
The BugSleep infection chain primarily involves using Egnyte, a secure file-sharing platform where phishing targets are redirected to download malware. This tactic adds legitimacy as the names of purported senders often appear genuine, matching the naming conventions of the targeted country.
For instance, a link sent to a Saudi Arabian transport company had its owner displayed as Khaled Mashal, a prominent Hamas leader.
Technical Analysis of BugSleep
BugSleep is a new malware used in MuddyWater phishing lures since May 2024, replacing legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect.
Several versions of BugSleep have been discovered, each differing with modifications and bug fixes, indicative of a trial-and-error approach for enhancement.
The main functionality of BugSleep involves executing threat actor commands and transferring files between the compromised machine and the Command & Control (C&C) server.
The malware starts with multiple calls to the Sleep API to avoid sandbox detection, loading necessary APIs for execution, creating a mutex, and decrypting its configuration which includes the C&C IP address and port.
Commands Executed by BugSleep
BugSleep communicates with its C&C server by exchanging encrypted messages. The commands it can execute include:
- Send a file: Transmit file content to C&C.
- Write a file: Insert content into a specified file.
- Run commands: Execute commands through cmd pipe until a ‘terminate’ command is received.
- Stop communication: Cease all communication.
- Delete persistence task: Remove any scheduled persistence tasks created by BugSleep.
- Update receive timeout: Modify the timeout value for receiving data.
- Ping: Send a ping response to check the malware status.
Evasion Techniques
BugSleep also includes various evasion techniques to bypass Endpoint Detection and Response (EDR) solutions:
- Implementation of MicrosoftSignedOnly flag to prevent non-Microsoft signed images from loading.
- Activation of the ProhibitDynamicCode flag to prevent dynamic code generation or modification.
BugSleep Loader
Some BugSleep versions come with a custom loader that injects the malware into processes such as `msedge.exe`, `chrome.exe`, `anydesk.exe`, `onedrive.exe`, and `powershell.exe`.
The loader uses an encrypted shellcode similar to the main BugSleep malware, which is then decrypted, written into the process, and executed.
Malware Bugs and Unused Code
Certain samples of BugSleep show various bugs and poorly written code, suggesting a trial-and-error development process. For instance, some API names were not encrypted properly, and the intended encryption applied during data transmission was sometimes wrongly applied as decryption.
These inconsistencies reflect the challenges faced in malware development and indicate the incomplete or evolving nature of BugSleep.
MuddyWater Attribution
MuddyWater, also known by aliases such as Earth Vetala, MERCURY, Static Kitten, and Seedworm, first emerged in 2017. The U.S. Cyber Command, in 2022, disclosed MuddyWater’s link to Iran’s Ministry of Intelligence and Security (MOIS).
Since then, MuddyWater has targeted entities across telecommunications, government, and oil sectors, extending their reach beyond the Middle East to North America, Europe, and Asia.
Conclusion
The escalation in MuddyWater’s activities, particularly against targets in Israel, highlights the persistent threat posed by state-backed actors. By integrating custom malware like BugSleep, tailored phishing campaigns, and legitimate tools, MuddyWater continues to adapt and refine its tactics.
Their ability to shift from highly customized lures to more generic phishing themes enables wider reach and efficiency in targeting, reflecting the evolving strategies of cyber-espionage groups.
Check Point Research remains vigilant in monitoring these activities to provide comprehensive protection and preemptively counteract emerging threats.
As reiterated by Check Point Research,
“Harmony Email and Collaboration provides comprehensive inline protection at the highest security level.”
Clients and organizations are encouraged to stay updated and vigilant, employing robust cybersecurity measures to defend against the sophisticated tactics employed by groups like MuddyWater.
