MuddyWater Hides Malware With Game Delay Technique
Iranian nation-state hackers took inspiration from a mobile phone time-killing mainstay, say security researchers who spotted hackers downloading malware masquerading as the Snake video game.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
A callback to the game – it came preloaded onto Nokia phones by default starting in 1998 although its origins date to the 1970s – isn’t nostalgia, say researchers at Eset. Just as the game delays reaction time to the player control commands, a dropper deployed by the group commonly tracked as MuddyWater introduces execution delays to avoid detection by antivirus tools that check for rapid malicious activity.
The technique is a sign of growing sophistication by the group, which U.S. intelligence agencies attributed in 2022 to Iran’s Ministry of Intelligence and Security, the country’s primary intelligence agency and secret police force. Also known as Earth Vetala, Static Kitten and Mango Sandstorm, MuddyWater has been tied to numerous cyberespionage operations as well as the theft of intellectual property since at least 2017. Iranian hackers have been notably active this year (see: What’s Old Is New Again as Iranian Hackers Exploit Macros).
Eset said it spotted MuddyWater targeting telecoms, government agencies and the oil and energy sectors in Israel and Egypt. It’s possible, cybersecurity firm researchers said, that MuddyWater is acting as an initial access broker for other Tehran hacking operations, based on the overlap they observed between the group and other known Iranian threat actors.
MuddyWater hackers in this campaign continued their usual practice of gaining access through phishing emails. The messages often contain PDF attachments with links to remote monitoring and management tools hosted on free file-sharing platforms. Although the tools deployed by MuddyWater have improved, the threat actor’s “continued reliance on this familiar playbook” makes it relatively easy for cyberdefenders to detect and block its activity.
Variations of a loader already known to be in MuddyWater’s arsenal, dubbed the “Fooder” loader, masqueraded as the Snake game. The loader used the same delay logic in Snake to introduce execution delays in the loader itself in a bid to go undetected.
Hackers used the loader to deploy a previously undocumented backdoor Eset dubs “MuddyViper,” malware that researchers observed only in computer memory – “which might be the reason there is no obfuscation or string encryption.” It gains persistence through an installation directory configured as a Windows Startup folder, or through a scheduled task that launches the backdoor after each restart.
The threat actor also downloaded credential stealers tracked as CE-Notes and LP-Notes. Eset first observed CE-Notes in 2024. The two stealers share the same design – although LP-Notes can steal Windows credentials by displaying a fake Windows Security dialog box.
Communications back to a hardcoded command and control server occurred with a reverse SOCKS5 tunnel connected to a proxy machine as a way of hiding the location of the server.
“The use of game-inspired evasion techniques, reverse tunneling, and a diversified tool set reflects a more refined approach than in earlier campaigns, even though traces of the group’s operational immaturity remain,” Eset said.