New Bugsleep Backdoor Deployed In Recent Muddywater Campaigns

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/17/2024

    Severity: Medium

    Summary

    "NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS" describes the discovery of a new backdoor malware named BugSleep, deployed in recent cyber operations attributed to the MuddyWater threat group. This sophisticated malware allows unauthorized access to compromised systems, reflecting ongoing cybersecurity challenges and the evolving tactics of malicious actors. The findings emphasize the need for robust defenses and proactive detection measures to counter such advanced persistent threats effectively.

    Indicators of Compromise (IOC) List

    URLs/Domains

    kinneretacil.egnyte.com

    salary.egnyte.com

    gcare.egnyte.com

    rimonnet.egnyte.com

    alltrans.egnyte.com

    megolan.egnyte.com

    bgu.egnyte.com

    fbcsoft.egnyte.com

    cnsmportal.egnyte.com

    alkan.egnyte.com

    getter.egnyte.com

    ksa1.egnyte.com

    filecloud.egnyte.com

    nour.egnyte.com

    airpazfly.egnyte.com

    cairoairport.egnyte.com

    silbermintz1.egnyte.com

    smartcloudcompany.com

    onlinemailerservices.com

    smtpcloudapp.com

    softwarehosts.com

    airpaz.egnyte.com

    airpazflys.egnyte.com

    fileuploadcloud.egnyte.com

    downloadfile.egnyte.com

    https://shorturl.at/NCxJk

    https://shorturl.at/bYqUx

    https://ws.onehub.com/files/bbmiio1c

    https://ws.onehub.com/files/zgov9aqy

    IP Address

    146.19.143.14

    91.235.234.202

    85.239.61.97

    95.164.32.69

    5.252.23.52

    194.4.50.133

    193.109.120.59

    89.221.225.81

    45.150.108.198

    200.200.200.248

    169.150.227.230

    169.150.227.205

    185.248.85.20

    141.98.252.143

    31.171.154.54

    146.70.172.227

    198.54.131.36

    Hash

    73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809

b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0

39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e

c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f

fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a

7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7

ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909

e2810cca5d4b74e0fe04591743e67da483a053a8b06f3ef4a41bdabee9c48cf7

90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded

20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a

55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2

f925d929602c9bae0a879bb54b08f5f387d908d4766506c880c5d29986320cf9

424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4

c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9

c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c

31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab

a0968e820bbc5e099efd55143028b1997fd728d923c19af03a1ccec34ce73d9b

88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee

4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca

e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2

1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91

8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1

7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee

02060a9ea0d0709e478e2fba6e9b71c1b7315356acc4f64e40802185c4f42f1c

53b4a4359757e7f4e83929fba459677e76340cbec7e2e1588bbf70a4df7b0e97

0ab2b0a2c46d14593fe900e7c9ce5370c9cfbf6927c8adb5812c797a25b7f955

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URLs/Domains

    userdomainname IN ("megolan.egnyte.com","onlinemailerservices.com","smtpcloudapp.com","cnsmportal.egnyte.com","kinneretacil.egnyte.com","softwarehosts.com","silbermintz1.egnyte.com","smartcloudcompany.com","salary.egnyte.com","rimonnet.egnyte.com","airpazflys.egnyte.com","downloadfile.egnyte.com","cairoairport.egnyte.com","filecloud.egnyte.com","alkan.egnyte.com") or url IN ("megolan.egnyte.com","onlinemailerservices.com","smtpcloudapp.com","cnsmportal.egnyte.com","kinneretacil.egnyte.com","softwarehosts.com","silbermintz1.egnyte.com","smartcloudcompany.com","salary.egnyte.com","rimonnet.egnyte.com","airpazflys.egnyte.com","downloadfile.egnyte.com","cairoairport.egnyte.com","filecloud.egnyte.com","alkan.egnyte.com")

    IP Address

    dstipaddress IN ("91.235.234.202","95.164.32.69","169.150.227.205","146.19.143.14","141.98.252.143","31.171.154.54","193.109.120.59") or ipaddress IN ("91.235.234.202","95.164.32.69","169.150.227.205","146.19.143.14","141.98.252.143","31.171.154.54","193.109.120.59") or publicipaddress IN ("91.235.234.202","95.164.32.69","169.150.227.205","146.19.143.14","141.98.252.143","31.171.154.54","193.109.120.59") or srcipaddress IN ("91.235.234.202","95.164.32.69","169.150.227.205","146.19.143.14","141.98.252.143","31.171.154.54","193.109.120.59")

    Hash

    sha256hash IN ("39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e","88788208316a6cf4025dbabbef703f51d77d475dc735bf826b8d4a13bbd6a3ee","424a9c85f97aa1aece9480bd658266c366a60ff1d62c31b87ddc15a1913c10e4","e7896ccb82ae35e1ee5949b187839faab0b51221d510b25882bbe711e57c16d2","55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2","1c0947258ddb608c879333c941f0738a7f279bc14630f2c8877b82b8046acf91","7e6b04e17ae273700cef4dc08349af949dbd4d3418159d607529ae31285e18f7","960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809","c80c8dd7be3ccf18e327355b880afb5a24d5a0596939458fb13319e05c4d43e9","c23f17b92b13464a570f737a86c0960d5106868aaa5eac2f2bac573c3314eb0f","4064e4bb9a4254948047858301f2b75e276a878321b0cc02710e1738b42548ca","fb58c54a6d0ed24e85b213f0c487f8df05e421d7b07bd2bece3a925a855be93a","73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e","31591fcf677a2da2834d2cc99a00ab500918b53900318f6b19ea708eba2b38ab","7e14ca8cb7980e85aff4038f489442eace33530fd02e2b9c382a4b6907601bee","5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0","90f94d98386c179a1b98a1f082b0c7487b22403d8d5eb3db6828725d14392ded","c88453178f5f6aaab0cab2e126b0db27b25a5cfe6905914cc430f6f100b7675c","94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472","b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca","8fbd374d4659efdc5b5a57ff4168236aeaab6dae4af6b92d99ac28e05f04e5c1","ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909","20aaeac4dbea89b50d011e9becdf51afc1a1a1f254a5f494b80c108fd3c7f61a")

    Reference:

    https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

    https://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.