Hackers disguise their malicious code as the game “Snake” (Image: ESET)
Iranian hacker group ‘MuddyWater’ attacks critical infrastructure in Israel and Egypt
Researchers at European IT security manufacturer ESET have uncovered a particularly malicious campaign by the Iranian cyber group MuddyWater. The cybercriminals used new hacking tools to attack technology, manufacturing and educational institutions as well as local authorities in Israel and Egypt. One component was disguised as the popular game ‘Snake’. MuddyWater’s attacks were aimed at stealing valuable data.
‘This campaign shows how flexible and technically mature MuddyWater has become,’ says ESET researcher Adam Burgher, who analysed the attacks. ‘The group combines familiar techniques such as spear phishing with completely new components designed for camouflage, delay tactics and sophisticated data exfiltration.’
Malicious code hidden behind popular game
The hackers came up with something special for the current attacks: they hid their loader in a computer game based on the principle of Snake. This is a classic game in which you control a snake that grows longer and longer without colliding with its own body or a wall.
File names and program code pretend to be the harmless game in order to deceive security software. It is particularly interesting that the hackers exploited a peculiarity of the game – regular short pauses with each movement of the player – to hinder automated analyses and further conceal the execution of the malicious code.
This allowed the loader to execute MuddyWater’s new backdoor, ‘MuddyViper’, directly in the working memory. As a result, the backdoor left no traces on the hard drive, making detection even more difficult.
How MuddyWater cleverly collects and steals information
Among other things, the backdoor allows attackers to collect detailed system information, execute files, and upload and download files. In addition, MuddyViper enables hackers to steal Windows login credentials and browser information, as well as establish permanent access to the system. Communication with the command-and-control servers is encrypted via HTTPS and is deliberately designed to remain as inconspicuous as possible in network traffic.
In addition to MuddyViper, the group used several specialised auxiliary tools, each tailored to specific data types or attack phases. These include CE-Notes for stealing browser data, LP-Notes for manipulating Windows security dialogues for password queries, and Blub, another tool for stealing access data from Chrome, Edge, Firefox and Opera. These components store captured data locally before forwarding it.
Entry via prepared PDF documents
As in previous cases, MuddyWater uses spearphishing emails for initial access. These messages often contain PDFs with links to seemingly legitimate download websites, which actually hide remote monitoring tools such as Atera, Level, PDQ or SimpleHelp – a common pattern used by the group.
Hacker group active since 2017
MuddyWater has been linked to the Iranian Ministry of Intelligence and National Security for years. The group has been active since at least 2017 and specialises in cyber espionage campaigns against government agencies, critical infrastructure and technology companies. MuddyWater typically uses spear phishing attacks, custom-made malware and a flexible combination of its own tools and publicly available tools. Its previous targets include political organisations in Turkey and attacks on managed service providers (MSPs).
ESET warns of the group’s increasing professionalism
‘Even though some components of the group remain easy to detect, this campaign shows clear technical maturation,’ Burgher concludes. ‘The combination of new tools, tactical precision and coordinated chains of access makes MuddyWater one of the most dangerous players in the Iranian cyber environment.’
More information on the latest attacks by MuddyWater can be found in the latest blog post ‘False snakes: News from MuddyWater (https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von-muddywater)’.
