Related Families: MuddyRot aka BugSleep
Verticals Targeted: Transportation, Government, Media, Travel
Executive Summary
Iran nexus threat actor group MuddyWater was recently observed using a new backdoor to target entities in the Middle East. Dubbed MuddyRot by Sekoia and BugSleep by Check Point Research, the backdoor appears to indicate a shift in MuddyWater’s TTPs.
Key Takeaways
- Iran nexus threat actor group MuddyWater was recently observed using a new backdoor to target entities in the Middle East.
- Dubbed MuddyRot by Sekoia and BugSleep by Check Point Research, the backdoor appears to indicate a shift in MuddyWater’s TTPs.
- Previously, the group used the legitimate Atera remote monitoring and management tool (RMM) as a validator.
- Additionally, MuddyWater is now embedding malicious links in PDF files, whereas they used to include the malicious links in the phishing emails.
What is MuddyRot?
Iran nexus threat actor group MuddyWater was recently observed using a new backdoor to target entities in the Middle East. Dubbed MuddyRot by Sekoia and BugSleep by Check Point Research, the backdoor appears to indicate a shift in MuddyWater’s TTPs. Activity involving this backdoor was first observed in May targeting entities in multiple countries, including Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. Targeted verticals include transportation, government, media, and travel.
The MuddyRot infection chain begins with a phishing email containing a PDF document with a malicious link. The Egnyte file sharing platform is used to deliver the MuddyRot executable. MuddyRot is an x64 backdoor written in C. It allows the threat actors to upload and download files on a compromised machine, launch a reverse shell, maintain persistence, and evade detection. MuddyRot uses a raw TCP socket on port 443 for C2 communications.
According to Sekoia, MuddyRot is evidence of a shift in MuddyWater TTPs. Previously, the group used the legitimate Atera remote monitoring and management tool (RMM) as a validator. Additionally, MuddyWater is now embedding malicious links in PDF files, whereas they used to include the malicious links in the phishing emails. Check Point noted the group has been extremely active in 2024, with over 50 spearphishing emails linked to MuddyWater since February 2024.
Who is MuddyWater?
Muddy Water, also known as Static Kitten, Seedworm, Mango Sandstorm, Boggy Serpens, TA450, and Cobalt Ulster, is an Iran nexus threat actor group active since at least 2017. MuddyWater has historically targeted entities in the Middle East but has been known to target other regions as well. MuddyWater primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks.
US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco previously assessed the group is a conglomerate of multiple teams operating independently. MuddyWater TTPs include social engineering, spearphishing, maldocs, use of RMM tools, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others.
IOCs
PolySwarm has multiple samples of MuddyRot/BugSleep.
94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0
You can use the following CLI command to search for all MuddyWater samples in our portal:
$ polyswarm link list -t MuddyWater
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.