HQ/EMEAFind out how we can help your business
The Iranian state-sponsored MuddyWater hacking organisation has employed a new tactic to leverage the BugSleep malware implant to steal files and execute commands on infected systems.
According to reports, this new backdoor is in its developmental stage after researchers encountered and analysed it while it was transmitted in well-crafted phishing bait.
The researchers explained that the malicious software is distributed via phishing emails disguised as invites to webinars or online courses. The emails connect the recipients to archives containing malicious payloads hosted on Egnyte’s secure file-sharing network.
Some versions in the threat landscape also have a modified malware loader that injects it into the active processes of various apps, including MS Edge, Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.
In addition, separate research revealed that numerous malware versions are being transmitted, with changes between each version indicating advances and bug patches and sometimes introducing new issues. These modifications, which occur at short intervals between samples, indicate a trial-and-error technique, which is expected to develop malware strains.
The MuddyWater APT adds BugSleep to its arsenal of cyberattacks.
MuddyWater has shifted to BugSleep after employing legal Remote Management Tools like Atera Agent and Screen Connect to establish persistent access to victims’ networks.
Attacks using this new virus target various industries worldwide, including government institutions, airlines, and media outlets. However, the most noteworthy detail of these attacks is they tend to focus more on countries such as Israel, Turkey, Saudi Arabia, India, and Portugal.
The MuddyWater threat group first appeared almost seven years ago. Researchers immediately classified it as a hacking organisation that prioritises targeting entities in the Middle East and is constantly updating its arsenal.
Although relatively new compared to other state-sponsored hacking groups, this Iranian threat group has been active throughout the years and targets a wide range of industries, including telecommunications, government (IT services), and oil industry companies.
Organisations should be wary of this threat group, especially in Middle Eastern countries, as this APT uses a novel malware strain that has yet to reveal its full potential for executing infection campaigns.
