Threat Research

New BugSleep Backdoor Found in Recent MuddyWater Campaigns

Checkpoint

Two reports document MuddyWater (Iran MOIS) tightening its activity in Israel since October 2023, deploying phishing campaigns from compromised accounts to drop remote access tools and, more recently, BugSleep—a tailor-made backdoor used against Israeli targets. The campaigns also abuse Egnyte for lure delivery and link-sharing, signaling a shift toward higher-volume phishing with English-language content.
#BugSleep #MuddyWater #Egnyte #Atera #ScreenConnect #Israel #MOIS #Iran

Keypoints

  • MuddyWater, an Iranian threat group affiliated with the MOIS, has significantly increased its operations in Israel since Oct 2023, with activity in Saudi Arabia, Turkey, Azerbaijan, India and Portugal as well.
  • The campaigns almost always use phishing from compromised organizational email accounts to deploy tools, typically legitimate Remote Management Tools (RMM) like Atera Agent or Screen Connect.
  • They recently deployed a new tailor-made backdoor, BugSleep, aimed at Israeli organizations and capable of executing commands and transferring files to the C&C server.
  • BugSleep exists in multiple versions, showing ongoing development, bug fixes, and iterative improvements to its functionality and persistence.
  • Egnyte is abused to deliver lure content; subdomains and sender identities are crafted to appear legitimate and country-appropriate, including examples like Khaled Mashal in Saudi-related lures.
  • The BugSleep infection chain includes encryption of configuration data, mutex-based persistence via scheduled tasks, and in-memory shellcode loader with process injection and command-execution capabilities.
  • EDR/defense evasion techniques are used, including enabling MicrosoftSignedOnly and ProhibitDynamicCodePolicy to hamper loading and dynamic code generation; a loader injects BugSleep into common processes like msedge.exe and chrome.exe.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing emails from compromised organizational email accounts leading to payload delivery (RMM like Atera or BugSleep). “phishing campaigns sent from compromised organizational email accounts.”
  • [T1021.001] Remote Services – Use of legitimate RMM tools to deploy payloads. “the phishing campaigns typically lead to the deployment of legitimate Remote Management Tools (RMM) such as Atera Agent and Screen Connect.”
  • [T1041] Exfiltration Over C2 Channel – Transfer files between the compromised machine and the C&C server. “transfer files between the compromised machine and the C&C server.”
  • [T1053.005] Scheduled Task – Persistence by creating a scheduled task that runs the malware every 30 minutes. “the scheduled task, which ensures persistence for BugSleep, runs the malware and is triggered every 30 minutes on a daily basis.”
  • [T1059.003] Windows Command Shell – Command execution via CMD pipe during the infection. “Run commands through cmd pipe until the command ‘terminate’.”
  • [T1055.012] Process Injection – Shellcode loading and execution via WriteProcessMemory and CreateRemoteThread. “injects the shellcode inside the process with the WriteProcessMemory API and invokes the shellcode with the CreateRemoteThread API.”
  • [T1562.001] Impair Defenses – Evasion of security tooling by enabling MicrosoftSignedOnly and ProhibitDynamicCodePolicy. “enable the MicrosoftSignedOnly flag of the ProcessSignaturePolicy structure to prevent the process from loading images that are not signed by Microsoft” and “enable the ProhibitDynamicCode flag to prevent the process from generating dynamic code.”

Indicators of Compromise

  • [Domains] – Egnyte subdomains used in lures: kinneretacil.egnyte[.]com, salary.egnyte[.]com (and additional Egnyte domains in the campaign)
  • [URLs] – Shortened or embedded links used in lures: https://shorturl[.]at/NCxJk, https://shorturl[.]at/bYqUx
  • [IP addresses] – C2 and distribution points: 146.19.143[.]14, 91.235.234[.]202
  • [IP addresses] – Email-sending sources: 89.221.225[.]81, 45.150.108[.]198
  • [Hashes] – BugSleep samples: 73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e, 960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
  • [Hashes] – RMM MSI variants: 39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e (and 15+ additional MSI hashes listed in the report)
  • [Archives] – Archive payloads: 424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4, c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9
  • [Files] – Local file checks: C:userspublica.txt (created then deleted in one sample)

Read more: https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/