Iranian Hackers Utilizing MuddyC2Go in Telecom Espionage Assaults Throughout Africa

Dec 19, 2023NewsroomCyber Espionage / Cyber Assault

The Iranian nation-state actor often called MuddyWater has leveraged a newly found command-and-control (C2) framework referred to as MuddyC2Go in its assaults on the telecommunications sector in Egypt, Sudan, and Tanzania.

The Symantec Menace Hunter Group, a part of Broadcom, is monitoring the exercise beneath the title Seedworm, which can also be tracked beneath the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (previously Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.

Energetic since a minimum of 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Safety (MOIS), primarily singling out entities within the Center East.

The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Intuition final month, describing it as a Golang-based alternative for PhonyC2, itself a successor to MuddyC3. Nonetheless, there may be proof to recommend that it might have been employed as early as 2020.

Whereas the total extent of MuddyC2Go’s capabilities isn’t but recognized, the executable comes fitted with a PowerShell script that routinely connects to Seedworm’s C2 server, thereby giving the attackers distant entry to a sufferer system and obviating the necessity for guide execution by an operator.

The most recent set of intrusions, which came about in November 2023, have additionally been discovered to depend on SimpleHelp and Venom Proxy, alongside a customized keylogger and different publicly out there instruments.

Assault chains mounted by the group have a observe document of weaponizing phishing emails and recognized vulnerabilities in unpatched purposes for preliminary entry, adopted by conducting reconnaissance, lateral motion, and information assortment.

Within the assaults documented by Symantec focusing on an unnamed telecommunications group, the MuddyC2Go launcher was executed to determine contact with an actor-controlled server, whereas additionally deploying respectable distant entry software program like AnyDesk and SimpleHelp.

The entity is claimed to have been beforehand compromised by the adversary earlier in 2023 by which SimpleHelp was used to launch PowerShell, ship proxy software program, and likewise set up the JumpCloud distant entry device.

“In one other telecommunications and media firm focused by the attackers, a number of incidents of SimpleHelp had been used to connect with recognized Seedworm infrastructure,” Symantec famous. “A customized construct of the Venom Proxy hacktool was additionally executed on this community, in addition to the brand new customized keylogger utilized by the attackers on this exercise.”

By using a mix of bespoke, living-off-the-land, and publicly out there instruments in its assault chains, the purpose is to evade detection for so long as potential to satisfy its strategic goals, the corporate mentioned.

“The group continues to innovate and develop its toolset when required so as to hold its exercise beneath the radar,” Symantec concluded. “The group nonetheless makes heavy use of PowerShell and PowerShell-related instruments and scripts, underlining the necessity for organizations to pay attention to suspicious use of PowerShell on their networks.”

The event comes as an Israel-linked group referred to as Gonjeshke Darande (which means “Predatory Sparrow” in Persian) claimed accountability for a cyber assault that disrupted a “majority of the fuel pumps all through Iran” in response to the “aggression of the Islamic Republic and its proxies within the area.”

The group, which reemerged in October 2023 after going quiet for practically a yr, is believed to be linked to the Israeli Army Intelligence Directorate, having carried out damaging assaults in Iran, together with metal amenities, petrol stations, and rail networks within the nation.