New BugSleep Malware Implant Deployed in MuddyWater Attacks
Summary:
Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform. Several versions of BugSleep have been observed being distributed, with the differences between each version showing improvements and bug fixes. Check Point notes that these updates occur within short intervals between samples, indicating that the actors are adopting a trial-and-error approach to perfect the backdoor implant. Some versions of BugSleep also come with a custom loader designed to inject the implant into active processes of a handful of apps, including Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera, a tactic typically employed by actors to bypass detection from antivirus solutions.
Security Officer Comments:
The latest attacks deployed by MuddyWater have targeted several sectors including municipalities, airlines, travel agencies, and media outlets. While the majority of emails distributing BugSleep were directed at entities residing in Israel, others were aimed at entities in Saudi Arabia, Turkey, India, and Portugal.
The use of phishing emails is a common initial access vector employed by MuddyWater. In the past, MuddyWater used highly customed lures to infect targets of interest. However, the latest attacks observed by CheckPoint have relied on more generic themes such as webinars and online courses, allowing the group to target a higher volume of targets. The use of a custom backdoor like BugSleep also highlights an interesting development. MuddyWater is known for deploying RMM tools such as Atera Agent and Screen Connect to maintain access to victim environments. The switch to custom tooling like BugSleep, which is constantly being updated, entails an approach by actors to evade detection and maintain a low profile.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/
Link(s):
https://www.bleepingcomputer.com/ne...lware-implant-deployed-in-muddywater-attacks/
Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform. Several versions of BugSleep have been observed being distributed, with the differences between each version showing improvements and bug fixes. Check Point notes that these updates occur within short intervals between samples, indicating that the actors are adopting a trial-and-error approach to perfect the backdoor implant. Some versions of BugSleep also come with a custom loader designed to inject the implant into active processes of a handful of apps, including Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera, a tactic typically employed by actors to bypass detection from antivirus solutions.
Security Officer Comments:
The latest attacks deployed by MuddyWater have targeted several sectors including municipalities, airlines, travel agencies, and media outlets. While the majority of emails distributing BugSleep were directed at entities residing in Israel, others were aimed at entities in Saudi Arabia, Turkey, India, and Portugal.
The use of phishing emails is a common initial access vector employed by MuddyWater. In the past, MuddyWater used highly customed lures to infect targets of interest. However, the latest attacks observed by CheckPoint have relied on more generic themes such as webinars and online courses, allowing the group to target a higher volume of targets. The use of a custom backdoor like BugSleep also highlights an interesting development. MuddyWater is known for deploying RMM tools such as Atera Agent and Screen Connect to maintain access to victim environments. The switch to custom tooling like BugSleep, which is constantly being updated, entails an approach by actors to evade detection and maintain a low profile.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations
https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/
Link(s):
https://www.bleepingcomputer.com/ne...lware-implant-deployed-in-muddywater-attacks/