Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure

News
By published

MuddyWater uses a fake Snake game to gain persistence

A large neon cybernetic snake coiled up with its tounge out, representing the MuddyWater custom malware, MuddyViper.
(Image credit: Shutterstock)
  • An Iranian-aligned group is targeting Israeli and Egyptian infrastructure
  • The group's previous attacks have been noisy and easy to detect
  • New techniques and malware have been deployed

An Iranian-aligned hacking group tracked as 'MuddyWater' has dramatically shifted tactics in attacks against Israeli and Egyptian critical infrastructure.

Previous campaigns by the group, observed by ESET Research, were characteristically noisy in their tactics, techniques, and procedures (TTPs) making them easily detectable.

However, the group has begun employing a new backdoor deployed via the Fooder loader, which often disguises itself as the classic Snake game.

Article continues below

MuddyVipers, snakes, and ladders

The attacks have typically targeted Israeli telecommunications, governmental, and oil and energy sectors. In this campaign, MuddyWater began by distributing spearphishing emails with PDF attachments linking to free remote monitoring and management (RMM) software, with the install files hosted on OneHub, Egnyte, Mega, and other free file hosting services.

Rather than installing legitimate RMM software, the files instead install loaders through which attackers can deploy backdoors. In the attacks observed by ESET, a newly identified loader known as Fooder deploys the MuddyViper backdoor.

Fooder has a unique characteristic - it often masquerades as the Snake game. This technique is more than just a disguise, as the core logic of Snake provides the loader with a custom delay function, allowing it to hide its true function from analysis.

The MuddyViper backdoor is also previously unobserved. Written in the C/C++ programming language, MuddyViper is capable of collecting system information, downloading and uploading files, executing files and shell commands, and stealing Windows credentials and browser data by displaying a fake Windows Security dialog.

The fake Windows Security dialog box deployed by the MuddyViper malware.

(Image credit: ESET Research)

The MuddyWater campaign targeted 17 organizations in Israel across a range of sectors including engineering, local government, manufacturing, technology, transportation, utilities, and universities. The group also targeted an Egyptian organization in the tech sector.

For greater insight into the MuddyWater campaign, as well as indicators of compromise, take a look at ESET’s 'MuddyWater: Snakes by the riverbank' research.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.