The Iranian state-sponsored hacking group known as MuddyWater has been identified deploying a new backdoor named UDPGangster, which is noteworthy for its use of the User Datagram Protocol (UDP) for its command-and-control (C2) infrastructure. This choice of protocol is strategic, as it is designed to bypass traditional network security measures that often focus on monitoring and inspecting TCP traffic. This cyber espionage campaign has specifically focused its attacks on users located in Turkey, Israel, and Azerbaijan. The malware gives attackers complete remote control over compromised systems, enabling them to execute commands, steal files, and deploy further malicious payloads, all covertly transmitted over UDP channels.
The initial phase of the attack utilizes spear-phishing tactics to distribute malicious Microsoft Word documents. These documents are cleverly booby-trapped with code that is only executed once a recipient is socially engineered into enabling macros. In some instances, the phishing emails impersonated the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, inviting recipients to an online seminar titled “Presidential Elections and Results.” The emails contained both a ZIP file (“seminer.zip”) and a Word document (“seminer.doc”), with the ZIP file containing the same Word file, which prompts users to activate macros to secretly run the embedded VBA code.
To maintain stealth and distract the victim, the VBA script embedded in the dropper file displays a decoy image. This image is written in Hebrew and purports to be from the Israeli telecommunications provider Bezeq, notifying the user about planned disconnection periods. The macro executes automatically upon the document being opened using the $Document\_Open()$ event. It decodes Base64-encoded data hidden within a form field, writes this decoded content to a file in the $C:\\Users\\Public$ directory, and then uses the Windows API $CreateProcessA$ function to execute this file, which is the UDPGangster payload itself.
Once executed, UDPGangster establishes persistence by making modifications to the Windows Registry. Significantly, the malware incorporates a sophisticated array of anti-analysis checks to resist detection and reverse-engineering efforts by security researchers. These routines include verifying if the process is being debugged, analyzing CPU configurations for virtual machines or sandboxes, checking if the system has less than 2048 MB of RAM, and validating whether the computer is part of the default Windows workgroup rather than a joined domain. Furthermore, it searches for known sandboxing, debugging, and virtualization tools such as VBoxService.exe, vmware.exe, and others, and performs Registry scans for virtualization vendor identifiers.
The malware only proceeds with its core functions after successfully passing all these extensive checks. Once active, UDPGangster gathers comprehensive system information and connects to an external server at 157.20.182[.]75 over UDP port 1269. Over this established C2 channel, it exfiltrates the collected data, executes operating system commands using “cmd.exe,” transmits files, updates its C2 server information, and can drop and run additional payloads. This development follows a recent report from ESET, which also attributed the same threat actor to a wave of attacks across multiple sectors in Israel, where they delivered a different backdoor known as MuddyViper.
Reference:
