The Iranian state-sponsored group dubbed MuddyWater has been attributed to a beforehand unseen command-and-control (C2) framework known as PhonyC2 that is been put to make use of by the actor since 2021.
Proof reveals that the customized made, actively developed framework has been leveraged within the February 2023 assault on Technion, an Israeli analysis institute, cybersecurity agency Deep Intuition mentioned in a report shared with The Hacker Information.
What’s extra, extra hyperlinks have been unearthed between the Python 3-based program and different assaults carried out by MuddyWater, together with the ongoing exploitation of PaperCut servers.
“It’s structurally and functionally much like MuddyC3, a earlier MuddyWater customized C2 framework that was written in Python 2,” safety researcher Simon Kenin mentioned. “MuddyWater is constantly updating the PhonyC2 framework and altering TTPs to keep away from detection.”
MuddyWater, also called Mango Sandstorm (beforehand Mercury), is a cyber espionage group that is recognized to function on behalf of Iran’s Ministry of Intelligence and Safety (MOIS) since at the least 2017.
The findings arrive practically three months after Microsoft implicated the menace actor for finishing up harmful assaults on hybrid environments, whereas additionally calling out its collaboration with a associated cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral motion.
“Iran conducts cyber operations aiming at intelligence assortment for strategic functions, primarily focusing on neighboring states, particularly Iran’s geopolitical rivals resembling Israel, Saudi Arabia, and Arabic Gulf nations, a continued focus noticed in all operations since 2011,” French cybersecurity firm Sekoia mentioned in an outline of pro-Iranian authorities cyber assaults.
Assault chains orchestrated by the group, like different Iran-nexus intrusion units, make use of susceptible public-facing servers and social engineering as the first preliminary entry factors to breach targets of curiosity.
“These embody the usage of charismatic sock puppets, the lure of potential job alternatives, solicitation by journalists, and masquerading as suppose tank consultants searching for opinions,” Recorded Future famous final 12 months. “Using social engineering is a central element of Iranian APT tradecraft when partaking in cyber espionage and data operations.”
Deep Intuition mentioned it found the PhonyC2 framework in April 2023 on a server that is associated to broader infrastructure put to make use of by MuddyWater in its assault focusing on Technion earlier this 12 months. The identical server was additionally discovered to host Ligolo, a staple reverse tunneling software utilized by the menace actor.
The connection stems from the artifact names “C:programdatadb.sqlite” and “C:programdatadb.ps1,” which Microsoft described as personalized PowerShell backdoors utilized by MuddyWater and that are dynamically generated through the PhonyC2 framework for execution on the contaminated host.
PhonyC2 is a “post-exploitation framework used to generate numerous payloads that join again to the C2 and look forward to directions from the operator to conduct the ultimate step of the ‘intrusion kill chain,'” Kenin mentioned, calling it a successor to MuddyC3 and POWERSTATS.
A few of the the notable instructions supported by the framework are as follows –
- payload: Generate the payloads “C:programdatadb.sqlite” and “C:programdatadb.ps1” in addition to a PowerShell command to execute db.ps1, which, in flip, executes db.sqlite
- droper: Create totally different variants of PowerShell instructions to generate “C:programdatadb.sqlite” by reaching out to the C2 server and writing the encoded contents despatched by the server to the file
- Ex3cut3: Create totally different variants of PowerShell instructions to generate “C:programdatadb.ps1” — a script that accommodates the logic to decode db.sqlite — and the final-stage
- listing: Enumerate all related machines to the C2 server
- setcommandforall: Execute the identical command throughout all related hosts concurrently
- use: Get a PowerShell shell on a distant pc to run extra instructions
- persist: Generate a PowerShell code to allow the operator to realize persistence on the contaminated host so it’s going to join again to the server upon a restart
“The framework generates for the operator totally different powershell payloads,” Mark Vaitzman, menace analysis crew chief at Deep Intuition instructed The Hacker Information. “The operator must have preliminary entry to a sufferer machine to execute them. A few of the generated payloads join again to the operator C2 to permit persistence.”
Muddywater is much from the one Iranian nation-state group to coach its eyes on Israel. In latest months, numerous entities within the nation have been focused by at the least three totally different actors resembling Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).
“The C2 is what connects the preliminary part of the assault to the ultimate step,” Vaitzman mentioned. “For MuddyWater, the C2 framework is essential because it permits them to remain stealthy and accumulate information from the victims. This isn’t the primary or final customized C2 framework they use throughout main assaults.”
