Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper.
The activity has been attributed by ESET to a hacking group known as MuddyWater (aka Mango Sandstorm or TA450), a cluster assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The attacks also singled out one technology company based in Egypt.
The hacking group first came to light in November 2017, when Palo Alto Networks Unit 42 detailed targeted attacks against the Middle East between February and October of that year using a custom backdoor dubbed POWERSTATS. It’s also known for its destructive attacks on Israeli organizations using a Thanos ransomware variant called PowGoop as part of a campaign referred to as Operation Quicksand.
According to data from the Israel National Cyber Directorate (INCD), MuddyWater’s attacks have aimed at the country’s local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).
Typical attack chains involve techniques like spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools – a long-favored approach of MuddyWater. However, at least since May 2024, the phishing campaigns have delivered a backdoor known as BugSleep (aka MuddyRot).
Some of the other notable tools in its arsenal include a Blackout, a remote administration tool (RAT); AnchorRat, a RAT that offers file upload and command execution features; CannonRat, a RAT that can receive commands and transmit information; Neshta, a known file infector virus; and Sad C2, a command-and-control (C2) framework that delivers a loader called TreasureBox, which deploys the BlackPearl RAT for remote control, and a binary known as Pheonix to download payloads from the C2 server.
The cyber espionage group has a track record of striking a wide range of industries, specifically governments and critical infrastructure, using a mix of custom malware and publicly available tools. The latest attack sequence begins, as in previous campaigns, with phishing emails containing PDF attachments that link to legitimate remote desktop tools like Atera, Level, PDQ, and SimpleHelp.
The campaign is marked by the use of a loader named Fooder that’s designed to decrypt and execute the C/C++-based MuddyViper backdoor. Alternatively, the C/C++ loader has also been found to deploy go-socks5 reverse tunneling proxies and an open-source utility called HackBrowserData to collect browser data from several browsers, with the exception of Safari in Apple macOS.
“MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
