The Iranian-backed MuddyWatter hacking group has partially switched to using a new custom-tailored malware implant to steal files and run commands on compromised systems.

Dubbed BugSleep, this new backdoor is still actively being developed and was discovered by analysts at Check Point Research while being distributed via well-crafted phishing lures.

The campaign pushes the malware via phishing emails disguised as invitations to webinars or online courses. The emails redirect the targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.

Some versions found in the wild also come with a custom malware loader designed to inject it into the active processes of a handful of apps, including Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.

"We discovered several versions of the malware being distributed, with differences between each version showing improvements and bug fixes (and sometimes creating new bugs)," Check Point said. "These updates, occurring within short intervals between samples, suggest a trial-and-error approach."

With the switch to BugSleep, MuddyWatter has switched from exclusively using legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect to maintain access to victims' networks.

Attacks using this new malware focus on a wide range of targets worldwide, from government organizations and municipalities to airlines and media outlets, with targeting Israel and some in Turkey, Saudi Arabia, India, and Portugal.

​Exposed as Iranian intelligence agency hackers

MuddyWatter (also tracked as Earth Vetala, MERCURY, Static Kitten, and Seedworm) was first seen in 2017. It is known for mainly targeting Middle Eastern entities (with a focus on Israeli targets) and continually upgrading its arsenal.

Although relatively new compared to other state-backed hacking groups, this Iranian threat group is highly active and targets many industry sectors, including telecommunications, government (IT services), and oil industry organizations.

Since it surfaced, it has slowly expanded its attacks to cyber-espionage campaigns against government and defense entities in Central and Southwest Asia, as well as organizations from North America, Europe, and Asia [1, 2, 3].

In January 2022, the U.S. Cyber Command (USCYBERCOM) officially linked MuddyWatter to Iran's Ministry of Intelligence and Security (MOIS), the country's leading government intelligence agency.

One month later, U.S. and U.K. cybersecurity and law enforcement agencies exposed additional MuddyWater malware, a new Python backdoor dubbed Small Sieve deployed to maintain persistence and evade detection in compromised networks.