New Bugsleep Backdoor Deployed In Recent Muddywater Campaigns


MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017.

During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods remain consistent, utilizing phishing campaigns sent from compromised email accounts targeting a wide array of organizations in countries of interest. These campaigns typically lead to the deployment of legitimate Remote Management Tools (RMM) such as Atera Agent or Screen Connect. Recently, however, they have deployed a custom backdoor Check Point researchers track as BugSleep.

Read more…
Source: Check Point


Sign up for our Newsletter


Related:

  • Operation Giant Financial Storm Under Circuit Breaker Orders

    August 2, 2024

    Since 2022, the BerBeroka group has been mentioned in every annual report released by the QiAnXin Threat Intelligence Center. The group was disclosed by QiAnXin friendly company Trend Micro. QiAnXin researchers have continued to track it under this name after merging internal groups. In fact, BerBeroka is the same as group such as DRBControl and TAG33 . ...

  • Fighting Ursa Luring Targets With Car for Sale

    August 2, 2024

    A Russian threat actor Palo Alto Unit 42 track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an ...

  • Onyx Sleet uses array of malware to gather intelligence for North Korea

    July 25, 2024

    On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. Microsoft will continue to closely monitor Onyx Sleet’s activity to assess ...

  • APT41 Has Arisen From the DUST

    July 18, 2024

    Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load ...

  • New Bugsleep Backdoor Deployed In Recent Muddywater Campaigns

    July 15, 2024

    MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017. During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods remain consistent, ...

  • CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks

    July 15, 2024

    Trend Micro Zero Day Initiative (ZDI) discovered the MHTML remote code execution (RCE) vulnerability CVE-2024-38112. Trend Micro researchers immediately alerted Microsoft of this vulnerability being used in–the-wild as ZDI-CAN-24433. CVE-2024-38112 was used as part of an attack chain by the advanced persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian regions ...