Full Report
Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. The activity has been attributed by ESET to a hacking group known as MuddyWater (aka Mango
Analysis Summary
# Threat Actor: MuddyWater (aka Mango Sandstorm, TA450)
## Attribution & Identity
* **Attribution:** Iranian nation-state actors, assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).
* **Known Aliases:** Mango Sandstorm, TA450.
## Activity Summary
Recent activity involves a targeted campaign against Israeli entities delivering a previously undocumented backdoor named **MuddyViper**. This campaign follows a history of targeting governments and critical infrastructure in the Middle East. Previous activity includes using a Thanos ransomware variant called PowGoop in **Operation Quicksand** against Israeli organizations.
## Tactics, Techniques & Procedures
- **Initial Access:** Employing spear-phishing emails often containing PDF attachments that link to legitimate remote desktop tools (Atera, Level, PDQ, SimpleHelp). They also exploit known vulnerabilities in VPN infrastructure for infiltration.
- **Execution & Persistence:** Using a loader named **Fooder** (which incorporates delayed execution and impersonates the Snake game) to decrypt and execute the C/C++-based **MuddyViper** backdoor.
- **Lateral Movement/Control:** MuddyViper supports 20 commands for covert access, including system information collection, file execution/transfer, and credential exfiltration.
- **Defense Evasion:** Fooder variants incorporate delayed execution to avoid detection.
- **Data Staging/Exfiltration:** Utilizing **HackBrowserData** to collect browser data from multiple browsers (excluding Safari on macOS). They also use reverse tunneling proxies (**go-socks5**).
## Targeting
* **Sectors:** Academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors.
* **Geography:** Primarily Israel; one technology company in Egypt was also targeted.
* **Victims (General):** Israeli local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and Small and Medium-sized Enterprises (SMEs).
## Tools & Infrastructure
* **Malware Families Used (Recent):** MuddyViper (new backdoor), Fooder (loader), go-socks5 (reverse tunneling proxy), HackBrowserData (browser data stealer), CE-Notes (browser-data stealer).
* **Malware Families Used (Historical/Associated):** POWERSTATS (custom backdoor), PowGoop (Thanos ransomware variant), BugSleep (aka MuddyRot), Blackout (RAT), AnchorRat (RAT), CannonRat (RAT), Neshta (file infector virus), Sad C2 (C2 framework), TreasureBox (loader), BlackPearl (RAT), Pheonix.
* **Infrastructure:** Documented use of legitimate remote management tools (Atera, Level, PDQ, SimpleHelp) for legitimate administration purposes post-infiltration.
## Implications
MuddyWater maintains a persistent, state-sponsored cyber espionage capability focused on high-value regional targets, including critical infrastructure and government bodies, utilizing a mix of custom backdoors and legitimate software to maintain long-term, covert access. The deployment of the new MuddyViper backdoor indicates continued development of custom capabilities.
## Mitigations
* **Defense against Phishing:** Implement robust email gateway filtering and user awareness training focusing on recognizing spear-phishing lures involving PDF attachments or links to remote desktop software.
* **Vulnerability Management:** Prioritize patching known vulnerabilities, particularly in VPN infrastructure, to prevent initial network infiltration.
* **Endpoint Detection:** Monitor for the execution of the **Fooder** loader, especially processes masquerading as legitimate applications (like the Snake game or service impersonations like Veeam/OneDrive).
* **Network Monitoring:** Monitor for unusual outbound connections associated with reverse tunneling proxies like **go-socks5** and the use of utilities like **HackBrowserData**.
* **Defense against Post-Exploitation:** Implement strict controls over the execution of legitimate remote management tools. Monitor for system information collection and the exfiltration of Windows login credentials and browser data via MuddyViper.