Iranian nation-state actors [3] [4] [5], specifically the MuddyWater APT group, have been identified as the source of cyber attacks since 2017 [2]. This group, also known as “Agonizing Serpens,” “Agrius,” and “MuddyWater,” has recently been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go in cyber attacks targeting Israel.
Description
MuddyC2Go is a web component written in the Go programming language and has been attributed to MuddyWater [4], an Iranian state-sponsored hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) [3] [5]. It is believed that the C2 framework has been in use since early 2020 and has replaced PhonyC2 [3], another custom C2 platform from MuddyWater [3] [5], which had its source code leaked in June 2023.
The main objectives of MuddyWater’s attacks are stealing sensitive information and causing chaos by wiping out endpoints. They have targeted multiple countries, including Turkey [2], Pakistan [2], the United Arab Emirates [2], Iraq [1] [2], Israel [1] [2] [3] [4] [5], Saudi Arabia [2], Jordan [1] [2], the United States [2], Azerbaijan [2], and Afghanistan [2].
MuddyWater’s attack sequences typically involve spear-phishing emails with malware-laced archives or bogus links that lead to the deployment of remote administration tools [5]. In the past, the group used remote administration software to deliver additional payloads, including PhonyC2 [5]. However, recent attacks have seen a transition to using password-protected archives and distributing an executable instead of a remote administration tool. This executable contains an embedded PowerShell script that automatically connects to the MuddyC2Go server [5]. The server then sends a PowerShell script that runs every 10 seconds and waits for further commands [5].
The full extent of MuddyC2Go’s features is unknown [5], but it is suspected to be a framework for generating PowerShell payloads for post-exploitation activities [5]. The framework is difficult to identify due to its generic appearance [1], but unique URL patterns have helped uncover its usage since 2020 [1]. All known active servers for MuddyC2Go have been traced to a VPS provider called Stark Industries [1].
MuddyWater has been known to publish stolen data on social media platforms and Telegram channels [2], highlighting the evolving nature of threat actors [1]. Proactive cybersecurity measures [1] [2], such as disabling PowerShell if not necessary and closely monitoring all PowerShell activity [1] [5], are crucial in mitigating these threats.
Conclusion
The MuddyWater APT group [1], with their use of the MuddyC2Go framework, poses a significant cybersecurity threat. Their attacks target multiple countries and aim to steal sensitive information and cause chaos. The transition to password-protected archives and the use of an embedded PowerShell script in recent attacks demonstrate the group’s evolving tactics. It is important for organizations to implement proactive cybersecurity measures, including disabling unnecessary PowerShell and closely monitoring PowerShell activity, to protect against these threats.
References
[1] https://securityonline.info/deep-instinct-reveals-iranian-apt-muddywaters-latest-cyber-weapon-muddyc2go/
[2] https://trustedinternet.io/blog/iranian-hackers-launch-destructive-cyber-attacks-on-israeli-tech-and-education-sectors
[3] https://ciso2ciso.com/muddyc2go-new-c2-framework-iranian-hackers-using-against-israel-sourcethehackernews-com/
[4] https://www.guardianmssp.com/2023/11/09/muddyc2go-new-c2-framework-iranian-hackers-using-against-israel/
[5] https://thehackernews.com/2023/11/muddyc2go-new-c2-framework-iranian.html
