MuddyWater hackers are employing a new UDP-based backdoor, dubbed UDPGangster, in a series of sophisticated attacks targeting Windows systems across the Middle East. This advanced malware grants attackers extensive remote control over compromised machines, allowing for data exfiltration and the deployment of additional malicious payloads while deliberately evading traditional network defenses.
Recent campaigns have been observed targeting users in Turkey, Israel, and Azerbaijan, indicating a geographically widening and active threat. The attacks leverage social engineering, particularly through phishing emails that impersonate government entities, with malicious Microsoft Word documents serving as the primary infection vector.
MuddyWater Hackers Leverage UDPGangster for Advanced Attacks
The MuddyWater threat group, known for its persistent cyber espionage operations in the Middle East and surrounding regions, has significantly enhanced its capabilities with the introduction of the UDPGangster backdoor. According to security researchers, this malware is designed to bypass conventional network security monitoring by utilizing User Datagram Protocol (UDP) channels, making its communication harder to detect.
UDPGangster provides attackers with a high degree of control over infected systems. Once a system is compromised, adversaries can execute arbitrary commands, extract sensitive files, and install further malicious software, paving the way for more complex and damaging operations. The malware’s ability to operate discreetly over UDP is a key component of its evasive strategy.
Infection Mechanism and Evasive Tactics
The current attack campaigns initiated by MuddyWater hackers begin with targeted phishing emails. These emails contain an attachment, typically a Microsoft Word document, which is designed to entice the recipient to open it. The documents are often crafted to appear as legitimate communications from government bodies, such as claims to be from the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, inviting recipients to online seminars.
Once a user is lured into opening the malicious document and enabling macros, a chain of actions is initiated. The embedded VBA macros execute, triggering the installation of the UDPGangster backdoor. This process involves decoding Base64-encoded data from a hidden form field within the document, which is then written to a file named “ui.txt” in the users’ public directory. The malware then uses Windows API functions, specifically CreateProcessA, to load the UDPGangster payload directly into the system’s memory.
For persistence, UDPGangster copies itself to the user’s AppDataRoamingLow directory, renaming the executable to “SystemProc.exe.” It then establishes itself to run automatically upon system startup by modifying the Windows registry. Specifically, it adds the path of the malware to the Startup value under HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders.
Crucially, UDPGangster incorporates a robust suite of anti-analysis capabilities. Security researchers have identified at least nine distinct techniques employed to thwart detection and analysis by security tools and researchers. These include debugger detection, environment checks for virtual machines via CPU core counts, verification of disk and memory size, analysis of virtual network adapter MAC addresses, hardware inspection via WMI queries, scanning for virtualization tools, extensive registry checks, detection of sandbox environments, and filename verification against known test environments. These advanced evasion methods are designed to make reverse-engineering and understanding the malware’s functionality a significant challenge.
Operational Control and Communication
Following successful evasion of security measures, the UDPGangster backdoor collects system information, such as the computer name, domain details, and operating system version. This data is then encoded using an ROR-based transformation and transmitted to the command-and-control (C2) servers hosted at the IP address 157.20.182.75. The communication occurs exclusively over UDP port 1269, a deliberate choice to remain inconspicuous to standard network traffic monitoring solutions.
The ongoing attacks by MuddyWater hackers highlight the evolving sophistication of state-sponsored threat actors and their persistent focus on targets within the Middle East. The use of UDPGangster and its multi-layered evasion techniques presents a notable challenge for cybersecurity defenses. Organizations operating in the affected regions, and indeed globally, should remain vigilant and ensure their security protocols are updated to address UDP-based communication and advanced anti-analysis malware.