- Iran-aligned group targets Israeli, Egyptian infrastructure
- The group’s previous attacks have been loud and easy to detect
- New techniques and malware have been deployed
An Iran-aligned hacker group known as “MuddyWater” has dramatically changed tactics in its attacks on Israeli and Egyptian critical infrastructure.
The group’s previous campaigns, observed by ESET Research, were particularly vocal in their tactics, techniques and procedures (TTP), making them easily detectable.
However, the group has started using a new backdoor deployed via the Fooder loader, which often disguises itself as a classic Snake game.
MuddyVipers, Snakes and Ladders
Attacks have generally targeted Israel’s telecommunications, government, and oil and energy sectors. In this campaign, MuddyWater began by distributing spearphishing emails containing PDF attachments linking to free remote monitoring and management (RMM) software, with the installation files hosted on OneHub, Egnyte, Mega and other free file hosting services.
Rather than installing legitimate RMM software, the files install loaders through which attackers can deploy backdoors. In the attacks observed by ESET, a newly identified loader known as Fooder deploys the MuddyViper backdoor.
Fooder has a unique characteristic: he often impersonates the Snake game. This technique is more than just a disguise, as Snake’s core logic provides the loader with a custom delay function, allowing it to hide its true function from analysis.
The MuddyViper backdoor is also previously unnoticed. Written in C/C++ programming language, MuddyViper is capable of collecting system information, uploading and downloading files, executing files and shell commands, and stealing Windows credentials and browser data by displaying a fake Windows security dialog box.
The MuddyWater campaign targeted 17 organizations in Israel across various sectors, including engineering, local government, manufacturing, technology, transportation, utilities and academia. The group also targeted an Egyptian organization in the technology sector.
For a better overview of the MuddyWater campaign, as well as indicators of compromise, take a look at ESET’s study ‘MuddyWater: Snakes on the River’.
The best antivirus for every budget
