Back

New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns

July 15, 2024, 8:55 p.m.

Tags

espionage
muddywater
2024-07-15
bugsleep

External References

https://blog.sekoia.io/

https://research.checkpoint.com/

https://otx.alienvault.com/

Description

An Iranian threat group known as MuddyWater, affiliated with the Ministry of Intelligence and Security, has significantly intensified its operations targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal in recent months. The group consistently utilizes phishing campaigns originating from compromised organizational email accounts to deploy legitimate Remote Management Tools and a newly identified custom backdoor dubbed BugSleep. This backdoor is designed to execute commands, transfer files between the compromised system and a command-and-control server, and is continuously undergoing development and improvements by the threat actors. The report provides an in-depth analysis of MuddyWater's evolving tactics, techniques, and procedures, including their abuse of the Egnyte file-sharing service and the technical details of the BugSleep malware.

Date

Published Created Modified
July 15, 2024, 3:56 p.m. July 15, 2024, 3:56 p.m. July 15, 2024, 8:55 p.m.

Indicators

e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2

f925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9

e2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7

c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c

c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f

c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9

a0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b

b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472

90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded

8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1

88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee

7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7

7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0

55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2

53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97

424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4

4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca

39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e

20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a

0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955

1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91

02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c

fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a

31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab

ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909

95.164.32.69

91.235.234.202

85.239.61.97

89.221.225.81

5.252.23.52

45.150.108.198

200.200.200.248

193.109.120.59

185.248.85.20

169.150.227.230

169.150.227.205

146.70.172.227

146.19.143.14

141.98.252.143

198.54.131.36

194.4.50.133

31.171.154.54

Attack Patterns

BugSleep

MuddyWater

T1018

T1548

T1574

T1547

T1057

T1105

T1071

T1036

T1204

T1033

T1027

T1053

T1566

T1059

Additional Informations

British Indian Ocean Territory

Azerbaijan

Portugal

India

Saudi Arabia

Türkiye

Israel