The nation-state actor MuddyWater, associated with Iran, has employed a recently identified command-and-control (C2) framework named MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.
Symantec’s Threat Hunter Team, a part of Broadcom, is monitoring this activity under the alias Seedworm, also known as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Active since at least 2017, MuddyWater is linked to Iran’s Ministry of Intelligence and Security (MOIS), focusing primarily on entities in the Middle East.
The employment of MuddyC2Go by the cyber espionage group was first brought to light by Deep Instinct, describing it as a Golang-based successor to PhonyC2, itself a follow-up to MuddyC3. Although it was initially highlighted last month, evidence suggests it may have been in use as early as 2020.
While the full capabilities of MuddyC2Go are not fully understood, the executable includes a PowerShell script that automatically connects to Seedworm’s C2 server, granting remote access to the victim system without requiring manual execution by an operator.
In the most recent intrusions in November 2023, the group utilized SimpleHelp and Venom Proxy, in addition to a custom keylogger and other publicly available tools.
The attack patterns of the group involve weaponizing phishing emails and exploiting vulnerabilities in unpatched applications for initial access. Subsequently, they engage in reconnaissance, lateral movement, and data collection.
In documented attacks by Symantec on an unnamed telecommunications organization, the MuddyC2Go launcher established contact with an actor-controlled server. Legitimate remote access software such as AnyDesk and SimpleHelp was deployed in this instance.
Another targeted telecommunications and media company experienced multiple incidents of SimpleHelp connecting to known Seedworm infrastructure. This network also saw the execution of a custom build of the Venom Proxy hacktool and a new custom keylogger used by the attackers.
By combining bespoke, living-off-the-land, and publicly available tools in their attack strategies, the group aims to avoid detection for an extended duration to achieve its strategic goals.
Symantec emphasized the group’s continuous innovation and development of its toolset to remain discreet, highlighting its consistent use of PowerShell and related tools and scripts. This underscores the importance for organizations to be vigilant regarding suspicious use of PowerShell on their networks.
Meanwhile, an Israel-linked group named Gonjeshke Darande has claimed responsibility for a cyber attack disrupting a majority of gas pumps in Iran. The group, believed to be connected to the Israeli Military Intelligence Directorate, recently reemerged after nearly a year of inactivity, conducting destructive attacks on various targets in Iran.
CyberSec84 | Cybersecurity news. 
Leave a comment