Iranian State Hackers Are Deploying a New Malware Backdoor – Source: www.databreachtoday.com

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Custom Malware Backdoor BugSleep Has Evasion Capabilities, Checkpoint Says

Akshaya Asokan (asokan_akshaya) •
July 16, 2024    

Hackers with links to Iranian intelligence agencies are deploying a new malware backdoor that has advanced evasion capabilities to target Middle Eastern organizations.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The malware backdoor, dubbed BugSleep, has been deployed by Iranian threat group MuddyWater as part of phishing emails that began in May, security firm Checkpoint said. The campaign specifically targets Israeli towns, as well as airlines and journalists, Checkpoint added.

MuddyWater, also known as Mercury and Static Kitten, is a global espionage group with suspected links to the Iranian Ministry of Intelligence and Security. Previously, the group targeted telecommunications, defense, local government, and oil and natural gas globally (see: MuddyWater Targets Critical Infrastructure in Asia, Europe).

The latest campaign began with threat actors sending industry-specific phishing lures to victims, such as emails asking Israeli local governments to download a new app specifically designed for them.

To deliver the malicious file, MuddyWater first shared customized links to the Egnyte file-sharing application that contained a PDF file as an attachment. When a victim opened the file, a zip file was downloaded to the victim’s computer, which then unpacked the BugSleep malware onto the targeted device.

“We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs). These updates, occurring within short intervals between samples, suggest a trial-and-error approach,” the researchers said.

Despite the threat actors deploying multiple versions of BugSleep, Checkpoint said all the variants were primarily designed to evade detection. In one of the variants, the malware evaded endpoint detection and response by preventing the process from loading images that are not signed by Microsoft, Checkpoint said.

BugSleep then deployed another function to prevent the process from generating dynamic code or modifying existing executable code.

The malware then called for command-and-control servers to send exfiltrated data such as the target’s device details.

Since some of the samples contained several bugs, as well as unused code, Checkpoint estimates the malware is still being developed by the threat actors. In addition to victims in Israel, the hackers also targeted organizations in Turkey, Saudi Arabia, India and Portugal.

“The increased activity of MuddyWater in the Middle East, particularly in Israel, highlights the persistent nature of these threat actors. Their consistent use of phishing campaigns, now incorporating a custom backdoor, BugSleep, marks a notable development in their techniques, tactics and procedures,” the researchers said.