CTI Roundup: MuddyWater Deploys BugSleep Malware, New Attack From Void Banshee

Up first in this week’s roundup is a look at BugSleep – a new backdoor that the Iranian state actor MuddyWater is using in its latest campaign. Next, CTI looks at two malicious packages that were recently identified on the npm package registry. Finally, CTI investigates the Void Banshee threat actor that is now exploiting a recently disclosed vulnerability in the Microsoft MHTML browser engine to deliver the Atlantida infostealer.

1. MuddyWater deploys BugSleep malware

The Iranian nation-state actor known as MuddyWater (a.k.a. Mercury) is using a new backdoor called BugSleep in its latest campaign.

BugSleep is designed to execute commands and transfer files between the C2 and the compromised device. The malware is still under development and is continuously receiving updates.

How MuddyWater uses lures

During its campaigns, MuddyWater often sends phishing emails to a large quantity of targets from a compromised email account. Since February 2024, Check Point has identified more than 50 spear-phishing emails that were targeting more than 10 different sectors and hundreds of recipients.

For example, one lure targeted municipalities and urged them to download a new custom app. Other lures were much more generic and included invitations to webinars and other online courses that could be used across multiple sectors and regions.

MuddyWater’s infection chain

The actor abuses the Egnyte file-sharing platform and includes its subdomains in its phishing emails.

When victims click on these shared links, they are led to a site with an archive to be downloaded. The archive contains the BugSleep malware.

What is BugSleep?

BugSleep is a new malware that MuddyWater has been using since May 2024.

BugSleep has partially replaced the group’s heavy use of legitimate RMM tools. Check Point has already observed multiple different versions of the malware in the wild with each new version having improvements and bug fixes.

All versions of the malware start with several calls to the Sleep API to avoid being executed in a sandbox. Most of the samples then create a scheduled task for persistence that will make sure the malware is run every 30 minutes.

The malware can perform several commands including sending file content to the C2, writing content to a file, deleting/creating/getting status of the persistence task, updating the sleep time, and more.

One of the analyzed samples also came with a custom loader that will load BugSleep in memory into one of the following processes: msedge.exe, opera.exe, chrome.exe, anydesk.exe, Onedrive.exe, powershell.exe.

Analyst comments from Tanium’s Cyber Threat Intelligence team

MuddyWater has been around since at least 2017, and continually expanding its techniques and its victimology.

This latest MuddyWater campaign reveals a shift for the actor. MuddyWater historically had a heavy reliance on the use of legitimate RMM software to maintain access to the environment.

Check Point’s research reveals that this actor is experimenting with new methods of persistence and new malware, indicating that there is likely more to come.

2. Researchers discover malicious files on the npm registry

Two malicious packages were recently identified on the npm package registry and contained sophisticated command and control functionality hidden in image files that would be executed when the package is installed.

The two packages identified in this campaign were both fake clones of legitimate AWS packages.

The malicious npm packages

The two malicious packages are img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy.

The first package is a copy of the legitimate AWS package that is found on GitHub. The threat actor updated the index.js file to execute the loadformat.js. script – an additional script that was added to the malicious package.

Image processing to execution

Phylum analyzed Loadformat.js for additional details and found that each byte is analyzed after reading the image file from the disk.

After defining certain bodies and variables, whatever was contained in the script that gets extracted from the image file will be executed.

Command and control in a JPEG

Phylum tried to understand what executable was contained within the images. They identified three files in the packet’s root including logo1.jpg, logo2.jpg, and logo3.jpg.

Phylum discovered that the code will register a new client with the remote C2 by sending certain information, like the host name and operating system type, to a specific IP address. It will then create an interval to loop through and obtain commands from the C2 every five seconds.

The obtained commands will run on the device, and the output gets sent back to the threat actor.

Analyst comments from Tanium’s Cyber Threat Intelligence team

These two packages were ultimately removed from npm, but only after being available publicly for about two days.

The risks associated with open-source software will likely always be around, primarily because threat actors understand the heavy reliance organizations have on many open-source software and packages. This is evidenced by the huge increase in the number of malicious packages being published to open-source repositories over the last few years.

Keep in mind that these packages were clones of legitimate packages and not legitimate packages that were trojanized. It’s important to be incredibly vigilant with open-source packages and to take the time to verify what is being downloaded from open-source repositories.

3. Void Banshee exploits a Microsoft MHTML flaw

The Void Banshee threat actor is now exploiting a recently disclosed vulnerability in the Microsoft MHTML browser engine to deliver the Atlantida infostealer.

The vulnerability was used in a multi-stage attack to access and execute files via the disabled Internet Explorer via MSHTML. The Atlantida infostealer seeks to steal system information and sensitive data, like passwords and cookies.

The vulnerability

CVE-2024-38112 is an RCE vulnerability in MHTML. The vulnerability was used as a zero-day to execute files via the disabled Internet Explorer, using MSHTML.

This vulnerability was patched in the July 2024 Patch Tuesday. Void Banshee was observed using this vulnerability as part of its infection chain starting in mid-May 2024.

Using Internet Explorer as an attack vector

Internet Explorer support ended in June of 2022 and has been disabled in later versions of Windows. This, however, does not mean that it was removed from the systems. Remnants of Internet Explorer still exist on Windows systems, even if they are not accessible or visible to the typical user. If a user were to find and attempt to open iexplorer.exe they would simply be redirected to Microsoft Edge.

In this Void Banshee campaign, according to Trend Micro, the actor exploited CVE-2024-38112 to “run and execute files and websites through the disabled IE process… through MSHTML.” To do so the actor used specially crafted URL files and was able to run an HTA file directly through the disabled IE process.

Technical details

• To start the attack, the actor leverages zip archives that contain books in PDF format along with malicious files that are masquerading as PDFs.
• These are primarily included in spear phishing emails and cloud-sharing sites.
• The attack begins when a victim clicks on the malicious URL shortcut file that is designed to exploit the vulnerability.
• The internet shortcut file points to an actor-controlled domain where an HTML file is used to download the HTA portion of the infection. The HTML file can also be used by the actor to hide browser information.
• When the URL is contacted via Internet Explorer it will try to open the HTA file and will ask the user to either open or save the HTML app. To the user, this appears as a normal PDF file.
• The file contains a VBScript that decrypts its content and then executes that content with PowerShell. A .NET trojan loader is also executed to perform process injection. In later stages the open-source Donut loader is used to decrypt and execute the Atlantida stealer, which is the final payload of the attack.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This attack may seem irrelevant at first glance as Internet Explorer has been discontinued. However, threat actors can still exploit the browser and use it to infect users and organizations, as evidenced by this attack.

As Trend Micro explained, APT groups like Void Banshee can exploit disabled services such as IE, which poses a significant threat to organizations. The vulnerability has since been patched, but the threat still exists to those that did not patch thinking IE was not on machines.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.