Iranian state-level cyber espionage organization "Muddy Waters" (MuddyWater) returned to the world and used the name "MuddyC2Go”’s new command and control framework, targeting the telecommunications industries in Egypt, Sudan and Tanzania.
Symantec Threat Hunters team named the event “Seedworm". The organization has also been active in the Middle East before, with codenames including Boggy Serpens, Cobalt Ulster, Earth Vetala, etc.
Symantec assesses that "Muddy Waters" has been active since 2017 and is associated with Iran's Ministry of Intelligence and Security (MOIS).
Last month, Deep Instinct first disclosed that "Muddy Waters" uses the MuddyC2Go framework, which is developed based on the Golang language and is designed to replace the previously used PhonyC2 and MuddyC3. But there is evidence that its practical application may have begun as early as 2020.
The full functionality of MuddyC2Go is currently unknown, but it is known to include aPowerShellThe script can automatically connect to the C2 server of "Seedworm" and provide the attacker with remote access to the victim system without manual operation.
In November 2023, the latest round of attacks targeted telecommunications organizations in Egypt, Sudan, and Tanzania. In addition to MuddyC2Go, public tools such as SimpleHelp and Venom Proxy were also used, as well as a customized keylogger.
"Muddy Waters" attack chains usually exploit the networkPhishing emailand known vulnerabilities in unpatched applications to gain initial access, followed by reconnaissance, lateral movement, and data collection.
In an attack against a telecom organization recorded by Symantec, "Muddy Waters" used the MuddyC2Go launcher to connect to servers it controlled and deployed legitimate remote access software such as AnyDesk and SimpleHelp.
It is reported that the group had invaded the same entity earlier in 2023, when it used SimpleHelp to run PowerShell, deploy agent software and install the JumpCloud remote access tool.
In another compromised telecommunications and media company's network, they discovered multiple incidents using SimpleHelp to connect to known "Seedworm" infrastructure, while also executing the group's custom Venom ProxyhackerTools and a new custom keylogger.
"Muddy Waters" combines self-developed tools, off-the-shelf tools, and public tools to avoid detection as much as possible and achieve its strategic goals. The group is still innovating and developing toolsets to keep its activities hidden.
It is worth noting that another Israel-related organization, Gonjeshke Darande, claimed responsibility for its attack on the Iranian gas station system. The organization became active again in October 2023 and is considered to be related to the Israeli Military Intelligence Agency. It has previously attacked Iranian steel plants, There have been destructive attacks on gas stations and rail networks.
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/iranian-hacking-group-muddywater-targets-middle-eastern-telecom-companies.html
