- An Iranian-aligned group is targeting Israeli and Egyptian infrastructure
- The group’s previous attacks have been noisy and easy to detect
- New techniques and malware have been implemented
An Iranian-aligned hacker group tracked as ‘MuddyWater’ has dramatically changed tactics in attacks against Israeli and Egyptian critical infrastructure.
Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques and procedures (TTPs), making them easy to track.
However, the group has started using a new backdoor implemented via the Fooder loader, which often masquerades as the classic Snake game.
MuddyVipers, snakes and ladders
The attacks have typically targeted Israel’s telecommunications, government, and oil and energy sectors. In this campaign, MuddyWater began distributing spearphishing emails with PDF attachments linking to free remote monitoring and management (RMM) software, with the installation files hosted on OneHub, Egnyte, Mega and other free file hosting services.
Instead of installing legitimate RMM software, the files instead install loaders through which attackers can deploy backdoors. In the attacks observed by ESET, a newly identified loader known as Fooder implements the MuddyViper backdoor.
Fooder has a unique feature – it often masquerades as the Snake game. This technique is more than just a disguise, as Snake’s core logic provides the loader with a custom delay function that allows it to hide its true function from analysis.
The MuddyViper backdoor is also previously unobserved. Written in the C/C++ programming language, MuddyViper is capable of collecting system information, downloading and uploading files, executing files and shell commands, and stealing Windows credentials and browser data by displaying a fake Windows security dialog.
The MuddyWater campaign targeted 17 organizations in Israel across a range of sectors including engineering, local government, manufacturing, technology, transport, utilities and universities. The group also targeted an Egyptian organization in the technology sector.
For greater insight into the MuddyWater campaign as well as indicators of compromise, take a look at ESET’s ‘MuddyWater: Snakes by the riverbank’ research.
The best antivirus for all budgets
