New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns

July 15, 2024, 8:55 p.m.

Description

An Iranian threat group known as MuddyWater, affiliated with the Ministry of Intelligence and Security, has significantly intensified its operations targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal in recent months. The group consistently utilizes phishing campaigns originating from compromised organizational email accounts to deploy legitimate Remote Management Tools and a newly identified custom backdoor dubbed BugSleep. This backdoor is designed to execute commands, transfer files between the compromised system and a command-and-control server, and is continuously undergoing development and improvements by the threat actors. The report provides an in-depth analysis of MuddyWater's evolving tactics, techniques, and procedures, including their abuse of the Egnyte file-sharing service and the technical details of the BugSleep malware.

External References

https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/
https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/
https://otx.alienvault.com/pulse/6695469e1c8371e36c0fa0f1
Tags
espionage
muddywater
2024-07-15
bugsleep

Date

  • Created: July 15, 2024, 3:56 p.m.
  • Published: July 15, 2024, 3:56 p.m.
  • Modified: July 15, 2024, 8:55 p.m.

Indicators

  • e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2
  • f925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9
  • e2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7
  • c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c
  • c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f
  • c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9
  • a0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b
  • b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
  • 960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
  • 94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
  • 90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded
  • 8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1
  • 88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee
  • 7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7
  • 7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee
  • 73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
  • 5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0
  • 55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
  • 53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97
  • 424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4
  • 4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca
  • 39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e
  • 20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a
  • 0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955
  • 1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91
  • 02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c
  • fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a
  • 31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab
  • ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
  • 95.164.32.69
  • 91.235.234.202
  • 85.239.61.97
  • 89.221.225.81
  • 5.252.23.52
  • 45.150.108.198
  • 200.200.200.248
  • 193.109.120.59
  • 185.248.85.20
  • 169.150.227.230
  • 169.150.227.205
  • 146.70.172.227
  • 146.19.143.14
  • 141.98.252.143
  • 198.54.131.36
  • 194.4.50.133
  • 31.171.154.54
  • softwarehosts.com
  • smtpcloudapp.com
  • smartcloudcompany.com
  • onlinemailerservices.com
Download all indicators here!

Attack Patterns

  • BugSleep
  • MuddyWater

Additional Informations

  • British Indian Ocean Territory
  • Azerbaijan
  • Portugal
  • India
  • Saudi Arabia
  • Türkiye
  • Israel