STAY SAFE FROM CYBER ATTACKS

Recently, Iranian nation-state hackers, known as MuddyWater, have been observed using a new backdoor called BugSleep (also referred to as MuddyRot) in recent cyber attacks targeting countries in the Middle East, including Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal. This marks a shift away from their previous tactic of using legitimate remote monitoring and management (RMM) software to maintain persistent access. The BugSleep backdoor is an x64 implant developed in C, capable of downloading and uploading files, launching a reverse shell, and setting up persistence, with communications taking place over a raw TCP socket on port 443.

To prevent these attacks, organizations can take the following measures:

Implement Robust Email Security

Use advanced email security solutions that can detect and block phishing emails, including those with generic themes.

Monitor for Suspicious Activity

Keep a close eye on network traffic and system activity to detect any suspicious behavior that may indicate a BugSleep infection.

Block Known Malicious Domains and IPs

Block access to known malicious domains and IPs associated with MuddyWater, including those listed in the IOCs section.

Use Threat Emulation Signatures

Implement threat emulation signatures, such as those provided by Check Point, to detect and block BugSleep malware.

Conduct Regular Security Audits

Regularly conduct security audits to identify vulnerabilities and weaknesses that can be exploited by MuddyWater.

Educate Users

Educate users about the risks of phishing emails and the importance of verifying the authenticity of emails and attachments.

By taking these measures, organizations can protect themselves from the latest BugSleep backdoor attacks and prevent MuddyWater from gaining unauthorized access to their systems.