Cybersecurity researchers have identified a targeted attack campaign against multiple Israeli organizations attributed to the Iran-linked threat actor MuddyWater. The group, also tracked as Seedworm and TEMP.Zagros, has been observed deploying a previously undocumented backdoor named MuddyViper in these operations.

The attacks specifically focused on a range of sectors within Israel, including prominent government entities, financial services, insurance companies, and the aviation industry. Evidence from the campaign indicates a clear focus on cyber espionage and data exfiltration from these high-value targets.

Attack Vector and Execution Chain

The initial infection vector used by MuddyWater in this campaign involves spear-phishing emails containing malicious attachments. These attachments are typically compressed archive files, such as RAR or ZIP formats, which house executables designed to initiate the attack sequence. Once a user opens the malicious file, a series of scripts are executed to download and deploy the final payload on the compromised system.

The attack chain leverages legitimate-looking executables and scripts to evade initial detection by security software. The primary goal of this initial stage is to establish a foothold within the target’s network and prepare for the deployment of the main espionage tool, the MuddyViper backdoor.

MuddyViper Backdoor Capabilities

The core component of this campaign is the MuddyViper backdoor, a remote access trojan (RAT) granting attackers significant control over infected machines. The malware is designed to gather sensitive information and maintain persistent access. Its documented capabilities include executing arbitrary commands, uploading and downloading files, and collecting detailed system information from the victim’s computer.

To maintain persistence, MuddyViper has been observed creating scheduled tasks, ensuring that the malware runs automatically even after a system reboot. For command-and-control (C2) communications, the backdoor utilizes legitimate third-party services, a technique used to blend its malicious traffic with normal network activity and avoid detection by security monitoring tools. The attribution to MuddyWater is based on overlaps in tactics, techniques, procedures (TTPs), and infrastructure with previously documented campaigns by the group.

Source: https://thehackernews.com/2023/12/iran-linked-hackers-target-israeli.html