FacebookTwitterLinkedIn

New BugSleep Backdoor Malware Used In MuddyWater Attacks

Karolis Liucveikis Written by on

MuddyWater, also tracked as Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iranian state-sponsored threat actor that has been active since 2017. In the past, we have seen the group extensively use zero-day exploits on several separate occasions.

The group has also proven highly capable of developing and deploying its custom malware strains to further its objectives and those of the Iranian state. The newly discovered BugSleep malware indicates this group's malware development capability.

New BugSleep Backdoor Malware Used In MuddyWater Attacks

MuddyWater has not been operational for as long as many other state-sponsored threat actors, but they have been disproportionately active when compared.

The group is known for targeting numerous sectors but does focus much of its attention on telecommunications, government (IT services), and oil industry organizations. The threat actor has also broadened operations into cyber espionage campaigns against government and defense organizations in Central and Southwest Asia and organizations from North America, Europe, and Asia.

One of MuddyWater's tactics is to deploy legitimate Remote Management Tools (RMM) such as Atera Agent and Screen Connect to create a backdoor onto a targeted machine. Researchers at Check Point recently discovered that malware is being used to deploy legitimate RMM tools.

How RMM software or the new BugSleep malware is delivered to potential victims has not changed. In this regard, MuddyWater initiates a spear phishing email campaign.

As researchers noted,

MuddyWater campaigns usually consist of sending large numbers of emails to a wide range of targets from a compromised email account. Although their lures are aimed at a large and varied set of organizations or individuals, they often focus on specific industries or sectors, highlighting the group’s points of interest. Among those are notable phishing campaigns aimed at Israeli municipalities as well as a broader group of airlines, travel agencies, and journalists. Overall, since February 2024 we identified over 50 spear phishing emails targeting more than 10 sectors that were sent to hundreds of recipients.

In targeting each of the 10 sectors mentioned above, threat actors composed unique lures; for instance, lures aimed at municipalities suggested downloading a new app created just for municipalities.

More recently, however, the group shifted to more generic-themed yet well-crafted phishing lures, such as invitations to webinars and online courses. Researchers believe this approach allows them to reuse the same lure across different targets and regions. Additionally, while they primarily used the locally spoken languages of their targets, they now use the English language more frequently.

This shift in approach is exemplified in a discovered lure sent to two separate victims, one in Saudi Arabia while the other is based in Israel. The main differences were the email addresses used to send them and the final payload. In Saudi Arabia, it was an RMM; in Israel, it was the custom backdoor BugSleep.

BugSleep Analysis

In the past, MuddyWater has used Egnyte, an online file-sharing service, to distribute malware payloads. This has again been seen in recent campaigns distributing BugSleep. To further add the veneer of legitimacy, threat actors align Egnyte subdomains with company names used in their phishing emails.

According to Check Point researchers, the shift from using RMM tools to BugSleep likely occurred in May 2024. Additionally, several versions of the malware are being distributed, with differences between each version showing improvements and bug fixes, and as is typical of any development cycle, sometimes creating new bugs.

These updates occurred within short intervals between samples uncovered by researchers. This suggests the threat actors developing the malware have adopted a trial-and-error approach.

While several versions have been seen in the wild, all seem to share the same logic:

  • All analyzed versions abuse the Sleep API to evade security sandboxes used to detect malware.
  • The malware will load several other APIs needed to run properly.
  • The malware's configuration files are encrypted, including the Command and Control (C&C) server IP address and the port used to send communications to the server.

Adding a layer of operational security, all communications and files stolen for exfiltration are also encrypted.

The BugSleep malware loader injects a shell code that loads BugSleep in-memory into one of the following processes, depending on what is running at the time:

  • msedge.exe
  • opera.exe
  • chrome.exe
  • anydesk.exe
  • Onedrive.exe
  • powershell.exe

This assists the malware in running from memory, making it much harder for security software applications to detect. While none of the tactics mentioned above are revolutionary in themselves, they are still incredibly effective when combined by skilled threat actors.

In conclusion, researchers stated,

The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors, who continue to operate against a wide variety of targets in the region. Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics and procedures (TTPs).

And,

The campaigns reflect the group’s interests, focusing on specific sectors such as municipalities, airlines, travel agencies, and media outlets. Although they are aimed at specific sectors, the nature of the lures themselves have become much simpler over time. The shift from highly customized lures to more generic themes such as webinars and online courses, combined with the increased use of the English language, allows the group to focus on higher volume rather than specific targets.

 

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog