Suspected Iranian state hackers use new malware to target Israeli organizations

A new campaign by the suspected Iranian state hacking group MuddyWater is targeting organizations in Israel and across the Middle East with a previously unseen custom backdoor, according to new research.

The new malware variant, discovered in May, was analyzed by researchers at Check Point, who dubbed it BugSleep, as well as researchers at Sekoia, who called it MuddyRot.

According to Check Point, which has headquarters in Tel Aviv, the new tool is still under development: Some of the samples collected for analysis contained bugs, and parts of the code were poorly written. However, the threat actor “is continuously improving BugSleep's functionality and addressing bugs,” researchers said in a report Monday.

In a recent campaign, MuddyWater reportedly used BugSleep against unnamed organizations in Israel — one of the group’s most popular targets. It is also likely that the hackers attacked other countries, including Azerbaijan, as evidenced by the phishing emails they used.

MuddyWater is affiliated with Iran’s Ministry of Intelligence and Security and has been active since at least 2017. The group has previously targeted government entities, municipalities, media outlets, and travel agencies in Israel, Turkey, Saudi Arabia, India, and Portugal.

The deployment of BugSleep allows hackers to remotely execute commands on the compromised system and transfer files between the infected device and the attacker's servers.

According to Check Point, BugSleep was likely created to partially replace the group’s reliance on legitimate remote management tools (RMM) which they previously deployed on their victims’ devices.

“It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change,” Sekoia said in its own report Monday.

Researchers noticed other changes in the group’s tactics during the latest campaigns.

Previously, MuddyWater mostly used tailored malicious emails sent to dozens of targets in the same sector. Lately, however, the group has shifted to “generic-themed, yet well-crafted phishing lures,” according to Check Point, such as invitations to online courses and websites, as in the case of Azerbaijan.

“This approach allows them to reuse the same lure across different targets and regions,” Check Point researchers added.

Another change, according to Sekoia, is that the hackers seem to have started embedding the malicious links in PDF files instead of emails. Their previous phishing lures included a link to an online storage service hosting a malicious ZIP archive, which contained the remote monitoring and management software.

Since the beginning of the Israel-Hamas war in October 2023, MuddyWater has significantly increased its activities in Israel and other countries, researchers said.

Overall, since February 2024, Check Point said it identified over 50 spear phishing emails linked to MuddyWater targeting more than 10 sectors that were sent to hundreds of recipients.