An Iranian hacker group known as MuddyWater was observed leveraging a new backdoor called UDPGangster that uses User Datagram Protocol (UDP) for command and control (C2) purposes.
According to a Fortinet FortiGuard Labs report, the cyber espionage campaign targeted users in Türkiye, Israel, and Azerbaijan.
“This malware allows remote control of compromised systems by allowing attackers to execute commands, extract files, and deploy additional payloads. All of these communications occur over UDP channels designed to evade traditional network defenses,” said security researcher Cara Lin.
This attack chain involves a spear-phishing tactic that distributes a booby-trapped Microsoft Word document that triggers the execution of a malicious payload when a macro is enabled. Some of the phishing messages impersonate the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus and aim to invite recipients to a webinar titled “Presidential Election and Its Results.”
The email includes a ZIP file (“seminer.zip”) and a Word document (“seminer.doc”) attached. The ZIP file also contains the same Word file, which, when opened, prompts the user to enable macros that secretly run embedded VBA code.
The VBA script in the dropper file has the ability to hide any signs of malicious activity by displaying decoy images in Hebrew from the Israeli telecommunications provider Bezeq regarding the expected disconnection period for the first week of November 2025 in various cities in the country.
“This macro runs automatically using the Document_Open() event to decode Base64-encoded data from a hidden form field (UserForm1.bodf90.Text) and writes the decoded content to C:\Users\Public\ui.txt,” Lin explained. “Then run this file using the Windows API CreateProcessA to launch the UDPGangster payload.”
UDPGangster establishes persistence through Windows registry modifications and boasts various anti-analysis checks to resist demolition efforts by security researchers. This includes –
Determine whether a process is being debugged Analyze the CPU configuration of a sandbox or virtual machine Determine if the system has less than 2048 MB of RAM Obtain network adapter information and verify whether the MAC address prefix matches a list of known virtual machine vendors Verify whether the computer is part of the default Windows workgroup rather than a joined domain VBoxService.exe, VBoxTray.exe, vmware.exe, and vmtoolsd.exe Run a registry scan for matches with known virtualization vendor IDs such as VBox, VMBox, QEMU, VIRTUAL, VIRTUALBOX, VMWARE, and Xen. Search for known sandboxing or debugging tools to see if the file is running in an analysis environment.
Only after these checks are met will UDPGangster begin collecting system information and connect to the external server (‘157.20.182’).[.]75″) over UDP port 1269 to extract the collected data, execute commands using “cmd.exe”, send files, update the C2 server, and drop and execute additional payloads.
“UDPGangster uses a macro-based dropper for initial access and incorporates extensive anti-analysis routines to evade detection,” Lin said. “Users and organizations should be wary of unsolicited documents, especially those that request macro activation.”
This development comes days after ESET reported that attackers distributed another backdoor called MuddyViper in attacks across Israel’s academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors.
Source link
