The Iranian nation-state actor known as MuddyWater has taken advantage of a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.
The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros , and Yellow Nix.
Active since at least 2017, Muddywater is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), which primarily isolates entities in the Middle East.
The cyber espionage group’s use of muddyC2Go was first exposed by Deep Instinct last month, in which it was described as a Golang-based replacement for PhonyC2, itself the successor to muddyC3. However, there is evidence that it may have been planned for the early 2020s.
While the full extent of MuddyC2Go’s capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm’s C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.
The latest set of intrusions, which occurred in November 2023, were found to rely on custom keyloggers and other publicly available tools, as well as SimpleHelp and Venom proxies.
Attack chains established by the group have a track record of weaponizing phishing emails and exploiting known vulnerabilities in unpatched applications to gain initial access, followed by reconnaissance, lateral movement, and data collection.
In the attacks by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while legitimate remote access software such as AnyDesk and SimpleHelp were also deployed.
The entity is said to have been previously compromised by an adversary in 2023 in which SimpleHelp was used to launch PowerShell, distribute proxy software, and install the JumpCloud remote access tool.
“At another telecommunications and media company targeted by the attackers, multiple instances of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec said. “A custom build of the Venom proxy hacktool was also executed on this network, as well as new custom keyloggers used by the attackers in this activity.”
The company said that by using a combination of specialized, stealthy and publicly available tools in its attack chains, the goal is to avoid detection for as long as possible to accomplish its strategic objectives.
Symantec concluded, “The group continues to innovate and develop its toolset when necessary to keep its activity under the radar.” “The group still makes heavy use of Powershell and Powershell-related tools and scripts, underscoring the need for organizations to be aware of suspicious use of Powershell on their networks.”
The development comes as an Israel-linked group called Gonjeshke Darande (meaning “Predatory Sparrow” in Persian) claimed responsibility for a cyber attack that disrupted a “majority of the gas pumps throughout Iran” in response to the “aggression of the Islamic Republic and its proxies in the region.”
The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.
