Threat actors linked to the Iranian state have launched a new series of attacks against Israeli entities in various sectors, deploying a previously undocumented backdoor known as MuddyViper. The activity has been attributed to MuddyWater (also known as Mango Sandstorm or TA450), a hacking group allegedly affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
The attacks not only focused on Israel, but also on a technology company based in Egypt. Affected sectors in Israel include academia, engineering, local government, manufacturing, technology, transportation and public services.
MuddyWater Attack Campaign
The MuddyWater group is known for its targeted attacks and consistent TTPs (Techniques, Tactics and Procedures) over time. Typical attack chains involve:
- Spear-phishing: Sending phishing emails with PDF files attached.
- Vulnerability Exploitation: Network infiltration through the exploitation of known vulnerabilities in the VPN infrastructure.
- Deploying legitimate tools: Using legitimate remote administration tools such as Atera, Level, PDQ, and SimpleHelp to establish access.
Since at least May 2024, phishing campaigns have begun distributing a new backdoor called MuddyViper, along with the Fooder uploader.
The Backdoor MuddyViper and the Fooder Charger
The attack campaign is distinguished by the use of a loader called Fooder, designed to decrypt and execute the MuddyViper backdoor, written in C/C++. ESET researchers revealed the capabilities of this new threat:
- MuddyViper capabilities: Collection of system information, execution of files and shell commands, file transfer, exfiltration of Windows login credentials and browser data. The backdoor supports a total of 20 commands.
- Evasion Techniques: Variants of Fooder disguise themselves as the classic “Snake” game and incorporate delayed execution to evade detection.
In addition to the main backdoor, the campaign has deployed go-socks5 reverse tunnel proxies and the open source HackBrowserData utility to collect data from browsers (excluding Safari on macOS).
MuddyWater’s Tool Arsenal
The MuddyWater group uses a combination of custom malware and open source or publicly available tools:
- Blackout: Remote Administration Tool (RAT).
- AnchorRat: RAT with file upload and command execution functions.
- CannonRat: RAT to receive commands and transmit information.
- Neshta: Known file-infecting virus.
- Sad C2: Command and control framework that deploys the TreasureBox loader and the BlackPearl RAT.
In the recent campaign, other data theft tools have also been observed:
- VAXOne: Backdoor impersonating Veeam, AnyDesk, Xerox and OneDrive update service.
- CE-Notes and Blub: Browser data thieves attempting to steal encryption keys from Chromium-based browsers to exfiltrate credentials.
- LP-Notes: C/C++ credential thief that displays a fake Windows security dialog to trick users.
Charming Kitten Leaks (APT42)
The report on MuddyWater coincides with revelations about another Iranian threat group, APT42 (known as Charming Kitten or Fresh Feline), also active in cyber espionage against Israel.
- Operation SpearSpecter: The Israel National Digital Agency (INDA) attributed attacks targeting individuals and organizations of interest to APT42.
- Document Leak: A massive leak of internal documents by the anonymous collective KittenBusters exposed the operations of APT35 (Charming Kitten). The information links the group to the Islamic Revolutionary Guard Corps (IRGC), specifically Unit 1500.
- Key Revelations: The document leak reveals a bureaucratic and centralized command structure, with defined hierarchies, performance metrics and monitoring of daily activities. It also exposed the source code of BellaCiao, a backdoor used in global attacks.
Conclusion
This MuddyWater campaign, which includes the new MuddyViper backdoor, indicates an evolution in the group’s operational maturity. The deployment of undocumented components underscores an effort to improve stealth, persistence, and credential harvesting capabilities. Recent revelations about APT42 and the structure of IRGC Unit 1500 highlight the sophistication and organized nature of Iranian state-backed cyber espionage.