Rust offers evasion advantages: CloudSEK researchers said RustyWater was developed in Rust, which they said is increasingly used by malware authors for its memory safety features and cross-platform capabilities, according to the blog post. Other state-sponsored groups, including Russia’s Gossamer Bear and China-linked actors, have also deployed Rust-based malware in recent campaigns, according to security researchers.The implant incorporates checks for virtual machine environments, debugging tools, and sandbox systems. “RustyWater begins execution by establishing anti-debugging and anti-tampering mechanisms,” the researchers wrote. “It registers a Vectored Exception Handler (VEH) to catch debugging attempts and systematically gathers victim machine information, including username, computer name, and domain membership.”RustyWater also uses string obfuscation and multi-stage payload delivery, the researchers said. The malware encrypts all strings using position-independent XOR encryption and implements randomized sleep intervals between command-and-control callbacks to avoid detection, according to the blog post.
Broader targeting: CloudSEK said its investigation primarily focused on targeting within Israel, but the researchers observed indicators suggesting MuddyWater may have expanded operations to include victims in India, the UAE, and other countries in the region.The campaign targeting Israeli entities used Hebrew-language decoy documents related to government agencies and the Israel Defense Forces, the blog post added.MuddyWater has focused on espionage operations aimed at collecting government and military intelligence, according to security researchers. Previous campaigns attributed to the group used various remote access tools and custom malware families, including the PhonyC2 command-and-control framework and legitimate remote administration tools like SimpleHelp.In November 2024, Amazon Threat Intelligence correlated MuddyWater activity with subsequent missile strikes, showing the group accessed compromised servers containing live CCTV feeds prior to attacks in Israel and the Red Sea. CloudSEK recommended organizations implement email security controls, conduct security awareness training to help employees identify phishing attempts, and deploy endpoint detection and response solutions capable of identifying suspicious process behavior and network communications patterns.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4115379/iran-linked-muddywater-apt-deploys-rust-based-implant-in-latest-campaign.html
