Iranian nation-state actors have been noticed utilizing a beforehand undocumented command-and-control (C2) framework known as MuddyC2Go as a part of assaults focusing on Israel.
“The framework’s internet element is written within the Go programming language,” Deep Intuition security researcher Simon Kenin mentioned in a technical report revealed Wednesday.
The device has been attributed to MuddyWater, an Iranian state-sponsored hacking crew that is affiliated to the nation’s Ministry of Intelligence and Safety (MOIS).
The cybersecurity agency mentioned the C2 framework might have been put to make use of by the menace actor since early 2020, with current assaults leveraging it instead of PhonyC2, one other customized C2 platform from MuddyWater that got here to mild in June 2023 and has had its supply code leaked.
Typical assault sequences noticed over time have concerned sending spear-phishing emails bearing malware-laced archives or bogus hyperlinks that result in the deployment of authentic distant administration instruments.
The set up of the distant administration software program paves the way in which for the supply of further payloads, together with PhonyC2.
MuddyWater’s modus operandi has since obtained a facelift, utilizing password-protected archives to evade e mail security options and distributing an executable as an alternative of a distant administration device.
“This executable incorporates an embedded PowerShell script that mechanically connects to MuddyWater’s C2, eliminating the necessity for handbook execution by the operator,” Kenin defined.
The MuddyC2Go server, in return, sends a PowerShell script, which runs each 10 seconds and waits for additional instructions from the operator.
Whereas the complete extent of MuddyC2Go’s options are unknown, it is suspected to be a framework that is chargeable for producing PowerShell payloads as a way to conduct post-exploitation actions.
“We suggest disabling PowerShell if it isn’t wanted,” Kenin mentioned. “Whether it is enabled, we suggest shut monitoring of PowerShell exercise.”