Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian State Hackers Are Deploying a New Malware Backdoor

Custom Malware Backdoor BugSleep Has Evasion Capabilities, Checkpoint Says
Iranian State Hackers Are Deploying a New Malware Backdoor
Image: Shutterstock

Hackers with links to Iranian intelligence agencies are deploying a new malware backdoor that has advanced evasion capabilities to target Middle Eastern organizations.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The malware backdoor, dubbed BugSleep, has been deployed by Iranian threat group MuddyWater as part of phishing emails that began in May, security firm Checkpoint said. The campaign specifically targets Israeli towns, as well as airlines and journalists, Checkpoint added.

MuddyWater, also known as Mercury and Static Kitten, is a global espionage group with suspected links to the Iranian Ministry of Intelligence and Security. Previously, the group targeted telecommunications, defense, local government, and oil and natural gas globally (see: MuddyWater Targets Critical Infrastructure in Asia, Europe).

The latest campaign began with threat actors sending industry-specific phishing lures to victims, such as emails asking Israeli local governments to download a new app specifically designed for them.

To deliver the malicious file, MuddyWater first shared customized links to the Egnyte file-sharing application that contained a PDF file as an attachment. When a victim opened the file, a zip file was downloaded to the victim's computer, which then unpacked the BugSleep malware onto the targeted device.

"We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs). These updates, occurring within short intervals between samples, suggest a trial-and-error approach," the researchers said.

Despite the threat actors deploying multiple versions of BugSleep, Checkpoint said all the variants were primarily designed to evade detection. In one of the variants, the malware evaded endpoint detection and response by preventing the process from loading images that are not signed by Microsoft, Checkpoint said.

BugSleep then deployed another function to prevent the process from generating dynamic code or modifying existing executable code.

The malware then called for command-and-control servers to send exfiltrated data such as the target's device details.

Since some of the samples contained several bugs, as well as unused code, Checkpoint estimates the malware is still being developed by the threat actors. In addition to victims in Israel, the hackers also targeted organizations in Turkey, Saudi Arabia, India and Portugal.

"The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors. Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics and procedures," the researchers said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.