MuddyWater [1] [2] [3] [4] [5] [6], an Iranian threat group associated with MOIS [6], has been active since at least 2017 [3], targeting countries in the Middle East, with a recent focus on Israel.

Description

In recent years, MuddyWater initially used legitimate Remote Management Tools (RMM) like Atera Agent or Screen Connect in their phishing campaigns. However, since October 2023 [3] [6], they have shifted to deploying a new custom backdoor called BugSleep for command execution and file transfer, as observed in a recent attack campaign [1] [4]. This change in tactics has been identified by cybersecurity firms Check Point and Sekoia, highlighting the group’s evolving techniques. Additionally, MuddyWater has intensified phishing campaigns across over 10 sectors with tailored lures and generic webinar invitations from compromised accounts since February 2024 [6]. This increased activity in the Middle East [4], particularly in Israel [1] [3] [4], showcases their persistent nature and suggests a move towards more scalable and potentially higher-impact attacks.

Conclusion

The increased activity of MuddyWater in the Middle East [2] [4], especially in Israel, poses a significant threat. Organizations in the region should be vigilant and implement robust cybersecurity measures to mitigate the risk of falling victim to MuddyWater’s attacks. The evolving tactics of MuddyWater also indicate a need for continuous monitoring and adaptation of security strategies to counter their persistent and potentially more damaging attacks in the future.

References

[1] https://cyber.vumetric.com/security-news/2024/07/16/iranian-hackers-deploy-new-bugsleep-backdoor-in-middle-east-cyber-attacks/
[2] https://www.krofeksecurity.com/uncovering-the-latest-bugsleep-backdoor-deployed-by-iranian-hackers/
[3] https://www.cybersecurity-review.com/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/
[4] https://thehackernews.com/2024/07/iranian-hackers-deploy-new-bugsleep.html
[5] https://www.infosecurity-magazine.com/news/iran-muddywater-new-custom-backdoor/
[6] https://cyberpress.org/rmm-tools-with-deadly-bugsleep-malware/