The advanced camouflage tactic to hide the malware on the system is inspired by the way the snake continues to move in the same direction until the player decides to change it in the game.
A group of hackers from Iran called MuddyWater recently caught the attention of cybersecurity experts for using a tactic from a well-known old game: Snake, the famous snake game.
The campaign was identified amid news that the Iranian spy group is attacking Israeli organizations with new malware that can bypass the security system to install viruses on targeted devices.
To carry out these attacks, cybercriminals used a technique similar to that of the game that made success on Nokia devices in the late 1990s he had a simple idea: control a snake along a line segment, avoiding collision with the edges of the board. The objective was to make the snake eat the food that appeared in random locations on the screen, earning the player points.
It is precisely this harmless little game that MuddyWater “adapted” to use in its campaigns against Israeli organizations.
Snake game for spying
An analysis by ESET experts detected that the Iranian hacker group uses a advanced camouflage technique to hide malware on the system, preventing it from being easily found.
Named Fooder, the malicious program is inspired by the way the snake moves. In the game, movement occurs in a brief real-time loop, with fixed intervals where the snake continues to move in the same direction. until the player decides to change it.
This is basically what happens with the MuddyWater malware. Fooder has its own loop mechanism that, instead of the installer running as soon as it infects the device, it delays for a long period of time, remaining inactive as if it were “asleep”. The malicious program is only activated after doing a full inspection of the system, changing the route according to the user’s action.
Evolution of tactics
Generally, MuddyWater tends to use similar tactics when orchestrating digital attacks. In the vast majority of cases, the group uses spear-phishing emails, which have a PDF attached that hosts a type of remote monitoring and management tool. If the victim installs the program, the malware infects the device, giving hackers full access.
The “difference” of MuddyWater is that the group is not usually very subtle in its campaigns. Experts always find traces of hackers’ illegal activities, as these usual techniques leave records on the victim’s system before exfiltrating data, for example.
This is why the snake game scheme raised a red flag, as demonstrates an evolution of the cyberespionage group, which seems to be more able to hide its actions in the digital environment.
