New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
July 15, 2024, 8:55 p.m.
Tags
External References
Description
An Iranian threat group known as MuddyWater, affiliated with the Ministry of Intelligence and Security, has significantly intensified its operations targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal in recent months. The group consistently utilizes phishing campaigns originating from compromised organizational email accounts to deploy legitimate Remote Management Tools and a newly identified custom backdoor dubbed BugSleep. This backdoor is designed to execute commands, transfer files between the compromised system and a command-and-control server, and is continuously undergoing development and improvements by the threat actors. The report provides an in-depth analysis of MuddyWater's evolving tactics, techniques, and procedures, including their abuse of the Egnyte file-sharing service and the technical details of the BugSleep malware.
Date
Published: July 15, 2024, 3:56 p.m.
Created: July 15, 2024, 3:56 p.m.
Modified: July 15, 2024, 8:55 p.m.
Indicators
e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2
f925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9
e2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7
c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c
c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f
c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9
a0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b
b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded
8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1
88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee
7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7
7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee
73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0
55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97
424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4
4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca
39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e
20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a
0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955
1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91
02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c
fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a
31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
95.164.32.69
91.235.234.202
85.239.61.97
89.221.225.81
5.252.23.52
45.150.108.198
200.200.200.248
193.109.120.59
185.248.85.20
169.150.227.230
169.150.227.205
146.70.172.227
146.19.143.14
141.98.252.143
198.54.131.36
194.4.50.133
31.171.154.54
softwarehosts.com
smtpcloudapp.com
smartcloudcompany.com
onlinemailerservices.com
Attack Patterns
BugSleep
MuddyWater
T1018
T1548
T1574
T1547
T1057
T1105
T1071
T1036
T1204
T1033
T1027
T1053
T1566
T1059
Additional Informations
British Indian Ocean Territory
Azerbaijan
Portugal
India
Saudi Arabia
Türkiye
Israel