- Iran-aligned group targets Israeli, Egyptian infrastructure
- The group’s previous attacks have been loud and easy to detect.
- New techniques and malware have been implemented.
An Iran-aligned hacking group, known as ‘MuddyWater’, has dramatically changed tactics in attacks against critical Israeli and Egyptian infrastructure.
The group’s previous campaigns, observed by ESET Research, were characteristically noisy in their tactics, techniques and procedures (TTP), making them easily detectable.
However, the group has begun employing a new backdoor implemented through the Fooder loader, which is often disguised as the classic Snake game.
MuddyVipers, snakes and ladders.
The attacks have generally targeted the Israeli telecommunications, government, and oil and energy sectors. In this campaign, MuddyWater began by distributing phishing emails with PDF attachments that linked to free remote monitoring and management (RMM) software, with the installation files hosted on OneHub, Egnyte, Mega, and other free file hosting services.
Instead of installing legitimate RMM software, the files install loaders through which attackers can implement backdoors. In the attacks observed by ESET, a newly identified loader known as Fooder implements the MuddyViper backdoor.
Fooder has a unique feature: he often poses as the Snake game. This technique is more than just a disguise, as Snake’s core logic provides the charger with a custom delay function, allowing it to hide its true function from analysis.
MuddyViper’s backdoor had also not been observed previously. Written in the C/C++ programming language, MuddyViper is capable of collecting system information, downloading and uploading files, executing files and shell commands, and stealing Windows credentials and browser data by displaying a fake Windows security dialog.
The MuddyWater campaign targeted 17 organizations in Israel across a variety of sectors including engineering, local government, manufacturing, technology, transportation, public services and universities. The group also targeted an Egyptian technology sector organisation.
For more information on the MuddyWater campaign, as well as indicators of engagement, take a look at ESET’s research ‘MuddyWater: Snakes by the riverbank’.
The best antivirus for all budgets
