New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
Essential information
- Published
- 15/07/2024 15:56
- Modified
- 15/07/2024 20:55
- Tags
- 2024-07-15 bugsleep espionage muddywater
- Related entities
- 50 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 7 others
Description
An Iranian threat group known as MuddyWater, affiliated with the Ministry of Intelligence and Security, has significantly intensified its operations targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal in recent months. The group consistently utilizes phishing campaigns originating from compromised organizational email accounts to deploy legitimate Remote Management Tools and a newly identified custom backdoor dubbed BugSleep. This backdoor is designed to execute commands, transfer files between the compromised system and a command-and-control server, and is continuously undergoing development and improvements by the threat actors. The report provides an in-depth analysis of MuddyWater's evolving tactics, techniques, and procedures, including their abuse of the Egnyte file-sharing service and the technical details of the BugSleep malware.