Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure

News
By published

MuddyWater uses a fake Snake game to gain persistence

A large neon cybernetic snake coiled up with its tounge out, representing the MuddyWater custom malware, MuddyViper.
(Image credit: Shutterstock)
  • An Iranian-aligned group is targeting Israeli and Egyptian infrastructure
  • The group's previous attacks have been noisy and easy to detect
  • New techniques and malware have been deployed

An Iranian-aligned hacking group tracked as 'MuddyWater' has dramatically shifted tactics in attacks against Israeli and Egyptian critical infrastructure.

Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques, and procedures (TTPs) making them easily detectable.

However, the group has begun employing a new backdoor deployed via the Fooder loader, which often disguises itself as the classic Snake game.

MuddyVipers, snakes, and ladders

The attacks have typically targeted Israeli telecommunications, governmental, and oil and energy sectors. In this campaign, MuddyWater began by distributing spearphishing emails with PDF attachments linking to free remote monitoring and management (RMM) software, with the install files hosted on OneHub, Egnyte, Mega, and other free file hosting services.

Rather than installing legitimate RMM software, the files instead install loaders through which attackers can deploy backdoors. In the attacks observed by ESET, a newly identified loader known as Fooder deploys the MuddyViper backdoor.

Fooder has a unique characteristic - it often masquerades as the Snake game. This technique is more than just a disguise, as the core logic of Snake provides the loader with a custom delay function, allowing it to hide its true function from analysis.

The MuddyViper backdoor is also previously unobserved. Written in the C/C++ programming language, MuddyViper is capable of collecting system information, downloading and uploading files, executing files and shell commands, and stealing Windows credentials and browser data by displaying a fake Windows Security dialog.

The fake Windows Security dialog box deployed by the MuddyViper malware.

(Image credit: ESET Research)

The MuddyWater campaign targeted 17 organizations in Israel across a range of sectors including engineering, local government, manufacturing, technology, transportation, utilities, and universities. The group also targeted an Egyptian organization in the tech sector.

For greater insight into the MuddyWater campaign, as well as indicators of compromise, take a look at ESET’s 'MuddyWater: Snakes by the riverbank' research.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.