New Backdoor BugSleep Discovered: MuddyWater Targets Israel in Intensified Cyber Campaign

Researchers at Check Point have reported that the Iranian hacker group MuddyWater has intensified its attacks on Israel, utilizing a previously undocumented backdoor called BugSleep.

The cybercriminals from MuddyWater often employ phishing campaigns through compromised corporate email accounts, leading to the installation of legitimate remote management tools such as Atera Agent and Screen Connect.

Check Point has been monitoring MuddyWater’s activities since 2019. Experts assert that since October 2023, the group’s attacks on Israel have significantly increased. Alongside phishing campaigns aimed at installing remote management tools, the hackers have recently begun deploying the new BugSleep backdoor, specifically targeting Israeli organizations.

BugSleep was first detected in phishing lures in May of this year. Check Point researchers discovered multiple versions of this malware. It appears to be in the developmental stage, with differences between versions primarily related to functionality improvements and bug fixes.

The campaigns identified by the experts target various sectors, including government agencies, travel agencies, and journalists. The primary focus of the hackers is on Israeli companies, but organizations in Turkey, Saudi Arabia, India, and Portugal have also been attacked.

Since February of this year, Check Point specialists have recorded over 50 phishing emails targeting more than 10 sectors, including municipalities, journalists, and healthcare. The latest attack was directed at Saudi and Israeli organizations: the former aimed at deploying a remote management tool, while the latter focused on the BugSleep backdoor.

The campaigns examined by researchers reflect MuddyWater’s interests, which focus on specific sectors such as airlines and the media. The lures have become simpler since the group’s inception and have recently begun to include unique malware developed by the hackers. Additionally, by shifting to more generic lures and increasing the use of the English language, the group has been able to focus on a larger volume of attacks rather than narrowly targeted objectives.

The evolution of cyber threats necessitates constant vigilance and the adaptation of protective measures. The increasing complexity of hacker group tactics, the development of new malware, and the expansion of attack geography underscore the need for international cooperation in cybersecurity.

Organizations across all sectors should prioritize employee training, updating security systems, and sharing threat information to counter the growing sophistication of cyberattacks.