Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has escalated its phishing campaigns in Middle East countries, specifically Israel.

In their approach, they use already compromised email accounts to spread malicious content across various sectors.

Predawn churning of curd formed overnight using fresh cow milk. Made freshly in small batches.

Recent attacks have featured generic, English-language lures such as webinar invitations, which promote reuse on a wider scale.

Cybersecurity researchers at CheckPoint recently identified that MuddyWater hackers have been deploying legitimate RMM with BugSleep malware.

Hackers Exploiting RMM Tools

The BugSleep is a custom backdoor that uses legitimate Remote Management Tools (RMMs).

Their strategies are becoming more sophisticated with customized lures for certain industries and Malicious files hosted on legitimate file-sharing services like Egnyte that show how adaptable they can be while keeping their MuddyWater signatures intact.

MuddyWater, a hacker group, is said to have been using Egnyte subdomains for cyber attacks involving phishing and aimed at various industries in different countries.

They have also introduced new BugSleep malware to replace certain legal uses of remote monitoring and management (RMM) tools.

BugSleep applies evasion techniques, encrypts communications, and can carry out multiple commands from its C&C server.

The malware has signs of ongoing development including different versions and some coding inconsistencies while using process injection for persistence, scheduled tasks, and attempts to evade EDR solutions.

Due to these implementation lapses, BugSleep poses a significant threat, especially for organizations based in Israel, Turkey, Saudi Arabia, India, and Portugal, which may have connections to operations conducted in Azerbaijan and Jordan.

The group’s enhanced phishing campaigns have been encouraged by the introduction of BugSleep.

Besides this, MuddyWater’s increased activity in the Middle East, especially in Israel, demonstrates their persistence and evolving tactics, researchers said.

Targeting diverse sectors like municipalities, airlines, and media, the group has simplified its lures, shifting from highly customized to generic themes in English. 

This alteration will enable broader regional impact rather than specific targeting with more attacks in volume, indicating their strategy adjustment.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.