The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.
Active since at least 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.
The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.
While the full extent of MuddyC2Go’s capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm’s C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.
The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.
Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.
In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.
The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.
“In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec noted. “A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity.”
By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.
“The group continues to innovate and develop its toolset when required in order to keep its activity under the radar,” Symantec concluded. “The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks.”
The development comes as an Israel-linked group called Gonjeshke Darande (meaning “Predatory Sparrow” in Persian) claimed responsibility for a cyber attack that disrupted a “majority of the gas pumps throughout Iran” in response to the “aggression of the Islamic Republic and its proxies in the region.”
The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.
The cyber assault also follows an advisory from the Israel National Cyber Directorate (INCD) that accused Iran and the pro-Hamas group Hezbollah of unsuccessfully attempting to disrupt Ziv Hospital, attributing the attack to threat actors named Agrius and Lebanese Cedar.
“The attack was executed by the Iranian Ministry of Intelligence with the involvement of Hezbollah’s ‘Lebanese Cedar’ cyber units under the leadership of Mohammad Ali Merhi,” the INCD said.