"Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. The activity has been attributed by ESET to a hacking group known as MuddyWater (aka Mango Sandstorm or TA450), a cluster assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). The attacks also singled out one technology company based in Egypt."
"The hacking group first came to light in November 2017, when Palo Alto Networks Unit 42 detailed targeted attacks against the Middle East between February and October of that year using a custom backdoor dubbed POWERSTATS. It's also known for its destructive attacks on Israeli organizations using a Thanos ransomware variant called PowGoop as part of a campaign referred to as Operation Quicksand."
"Some of the other notable tools in its arsenal include a Blackout, a remote administration tool (RAT); AnchorRat, a RAT that offers file upload and command execution features; CannonRat, a RAT that can receive commands and transmit information; Neshta, a known file infector virus; and Sad C2, a command-and-control (C2) framework that delivers a loader called TreasureBox, which deploys the BlackPearl RAT"
MuddyWater, an Iran-linked hacking cluster tied to MOIS, targeted Israeli organizations across academia, local government, manufacturing, technology, transportation, utilities, and other sectors, plus one Egyptian technology company. Attacks delivered a previously undocumented backdoor named MuddyViper and earlier used BugSleep (aka MuddyRot) since May 2024. Attack chains relied on spear-phishing and exploitation of known VPN vulnerabilities to deploy legitimate remote management tools and malware. The group's historical tools include POWERSTATS, Blackout RAT, AnchorRat, CannonRat, Neshta file-infector, and Sad C2 with TreasureBox loader and BlackPearl RAT. The group previously used Thanos/PowGoop ransomware in destructive campaigns labeled Operation Quicksand.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]