Saturday, December 14, 2024
HomeCyber AttackHackers Exploiting Legitimate RMM Tools With BugSleep Malware

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Published on

SIEM as a Service

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has escalated its phishing campaigns in Middle East countries, specifically Israel.

In their approach, they use already compromised email accounts to spread malicious content across various sectors.

Predawn churning of curd formed overnight using fresh cow milk. Made freshly in small batches.

- Advertisement - SIEM as a Service

Recent attacks have featured generic, English-language lures such as webinar invitations, which promote reuse on a wider scale.

Cybersecurity researchers at CheckPoint recently identified that MuddyWater hackers have been deploying legitimate RMM with BugSleep malware.

Hackers Exploiting RMM Tools

The BugSleep is a custom backdoor that uses legitimate Remote Management Tools (RMMs).

Their strategies are becoming more sophisticated with customized lures for certain industries and Malicious files hosted on legitimate file-sharing services like Egnyte that show how adaptable they can be while keeping their MuddyWater signatures intact.

MuddyWater new infection chain (Source – CheckPoint)

MuddyWater, a hacker group, is said to have been using Egnyte subdomains for cyber attacks involving phishing and aimed at various industries in different countries.

They have also introduced new BugSleep malware to replace certain legal uses of remote monitoring and management (RMM) tools.

Notable phishing campaigns (Source – CheckPoint)

BugSleep applies evasion techniques, encrypts communications, and can carry out multiple commands from its C&C server.

The malware has signs of ongoing development including different versions and some coding inconsistencies while using process injection for persistence, scheduled tasks, and attempts to evade EDR solutions.

Due to these implementation lapses, BugSleep poses a significant threat, especially for organizations based in Israel, Turkey, Saudi Arabia, India, and Portugal, which may have connections to operations conducted in Azerbaijan and Jordan.

Map of targeted countries (Source – CheckPoint)

The group’s enhanced phishing campaigns have been encouraged by the introduction of BugSleep.

Besides this, MuddyWater’s increased activity in the Middle East, especially in Israel, demonstrates their persistence and evolving tactics, researchers said.

Targeting diverse sectors like municipalities, airlines, and media, the group has simplified its lures, shifting from highly customized to generic themes in English. 

This alteration will enable broader regional impact rather than specific targeting with more attacks in volume, indicating their strategy adjustment.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...