The malware can perform several commands to write, run, establish persistence, delete tasks, and other evasion techniques. One analyzed sample resulted in a custom loader that injects a shellcode to deliver BugSleep in-memory into specific processes. These processes include msedge.exe, opera.exe, chrome.exe, anydesk.exe, onedrive.exe, and powershell.exe, depending on whether they are already running. Cyberattacks using this new malware are targeting a wide range of global entities, with a particular focus on Israeli and Saudi Arabian targets. This Iranian threat group is highly active and has historically targeted various industry sectors worldwide, including telecommunications, government, IT services, and oil industry organizations. Over time, it has expanded its cyber-espionage operations to focus on governmental and defense institutions in Central and Southwest Asia, along with businesses in North America and Europe. Although MuddyWater is currently targeting Israel, the group often reuses newly developed and successfully tested malware to attack Western countries and Israeli allies.
Recommendations
- Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
- Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Keep systems up to date and apply patches after appropriate testing.
- Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
- Implement email filtering solutions, such as spam filters, to help block messages.
- Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
- Cyber incidents can be reported to the FBI IC3 and the NJCCIC.
