Iranian MuddyWater hackers use new C2 tool “DarkBeatC2” in latest activities

Iranian threat actor dubbed MuddyWater attributed to new command and control (C2) infrastructure dubbed “MuddyWater” Dark shot C2becoming the latest such tool after SimpleHarm, MuddyC3, PhonyC2 and MuddyC2Go.

“While it occasionally switches to new remote management tools or changes its C2 framework, MuddyWater’s approach remains unchanged,” Deep Instinct security researcher Simon Kenin said in a technical report released last week.

MuddyWater, also known as Boggy Serpens, Mango Sandstorm and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group is understood to have been active since at least 2017, orchestrating spear phishing attacks that resulted in the deployment of a variety of legitimate remote monitoring and management (RMM) solutions on compromised systems.

Microsoft’s previous findings revealed that the group was linked to another Iranian threat activity cluster tracked as Storm-1084, also known as DarkBit, which used that access to orchestrate destructive wipe attacks against Israeli entities.

Proofpoint 上個月也透露了最新的攻擊活動的詳細信息，該活動首先從受感染的帳戶發送魚叉式網絡釣魚電子郵件，其中包含託管在Egnyte 等服務上的鏈接或附件，用於交付Atera Agent software.

One of the URLs in question is “kinneretacil.egnyte[.]com, where the subdomain “kinneretacil” refers to “kinneret.ac.il”, an educational institution in Israel and a client of Rashim, which was in turn compromised by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a campaign targeting the Supply chain attacks on academic sectors in China.

Nemesis is suspected of being a “fake” operation against Israel. It is also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup of Mint Sandstorm and supported by Iran’s Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury Department in September 2022.

“This is important because if Nemesis was able to hack into Raheem’s email system, they could have used the administrative accounts that we now know they obtained from ‘Rahim’ to break into the email systems of Raheem’s clients. ,” Kenin explained.

The Connect Network raises the possibility that MuddyWater may have used email accounts associated with Kinneret to distribute links, giving the message the illusion of trust and tricking recipients into clicking on them.

Kenin further added: “While inconclusive, the time frame and context of the incident suggest there may have been a handoff or collaboration between the IRGC and ISIS to cause as much harm as possible to Israeli organizations and individuals.”

These attacks are also notable for their reliance on a group of domains and IP addresses, collectively known as DarkBeatC2, that manage compromised endpoints. This is accomplished through PowerShell code that is designed to establish contact with the C2 server after gaining initial access through other means.

According to the results of an independent investigation by Palo Alto Networks Unit 42, threat actors were found to be abusing the AutodialDLL function of the Windows registry to sideload a malicious DLL and ultimately establish a connection to the DarkBeatC2 domain.

This mechanism specifically involves establishing persistence by executing a scheduled task in PowerShell to log in to the project using AutodialDLL and load the C2 framework’s DLL. The cybersecurity firm said the technology has been used in cyberattacks against unnamed targets in the Middle East.

Other methods used by MuddyWater to establish C2 connections include using first-stage payloads delivered via spear phishing emails and utilizing DLL sideloading to execute malicious libraries.

Successful contact allows the infected host to receive a PowerShell response that fetches two other PowerShell scripts from the same server.

One of the scripts is designed to read the contents of a file named “C:\ProgramData\SysInt.log” and transfer it to the C2 server via an HTTP POST request, while the second script periodically polls the server for Additional payload and writes execution results to “SysInt.log”. The exact nature of the next stage’s payload is currently unclear.

“This framework is similar to the C2 framework that MuddyWater previously used,” Kenin said. “PowerShell is still their ‘bread and butter’.”

Curious Serpens target defense sector via FalseFont backdoor

This disclosure comes as Unit 42 unravels the inner workings of a backdoor known as FalseFont, used by an Iranian threat group known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) to target aerospace and defense sector attacks.

Security researchers Tom Fakterman, Daniel Frank and Jerome Tujague said, “Threat actors mimic legitimate HR software and use fake recruiting process to trick victims into installing a backdoor,” describing FalseFont as “highly targeted.”

Once installed, it presents a login interface impersonating an aerospace company and captures the credentials and education and employment history that the victim enters in JSON format into a C2 server controlled by the threat actor.

In addition to the graphical user interface (GUI) component used for user input, the implant secretly launches a second component in the background that establishes persistence on the system, collects system metadata, and executes commands from the C2 server. commands and processes sent by the server.

Other capabilities of FalseFont include the ability to download and upload files, steal credentials, take screenshots, terminate specific processes, execute PowerShell commands, and self-update the malware.