Called the Iranian National Assistance Organization muddy water This is believed to be due to a previously unseen framework called the Command and Control (C2) Framework. Phoney C2 It has been used by actors since 2021.
Cybersecurity firm Deep Instinct, in a report shared with Hacker News, shows a custom-made and actively developed framework was used in February 2023 attack on Israeli research institute Technion There is evidence, says cybersecurity firm Deep Instinct.
Additionally, further links were discovered between Python 3-based programs and other attacks carried out by MuddyWater, including the ongoing exploitation of the PaperCut server.
“It is structurally and functionally similar to MuddyC3, the previous MuddyWater custom C2 framework written in Python 2,” said security researcher Simon Kenin. “MuddyWater is continuously updating his PhonyC2 framework and modifying TTPs to avoid detection.”
MuddyWater, also known as Mango Sandstorm (formerly Mercury), is a cyber espionage group known to operate on behalf of the Iranian Ministry of Information and Security (MOIS) since at least 2017.
The findings come nearly three months after Microsoft implicated threat actors in carrying out destructive attacks against hybrid environments, while simultaneously using Storm for reconnaissance, persistence, and monitoring. Calling for cooperation with related clusters tracked as -1084 (aka DEV-1084 or DarkBit). lateral movement.
French cybersecurity firm Sequoia said, “Iran has been conducting cyber operations aimed at intelligence gathering for strategic purposes, and is essentially operating in the geopolitical context of Iran’s neighbors, particularly Israel, Saudi Arabia, and the Gulf countries of Arabia. It targets rival countries and has been the focus of all operations since 2011.” I mentioned it in the overview of the pro-Iranian government’s cyberattacks.
The attack chain orchestrated by this group, like other Iran-related intrusion suites, leverages vulnerable public servers and social engineering as key initial access points to infiltrate targeted targets.
“These include the use of charismatic sock puppets, seduction of future job opportunities, soliciting by journalists, and impersonating think tank experts soliciting opinions,” Record Future noted last year. “The use of social engineering is a central component of his APT operations in Iran when engaging in cyber espionage and intelligence operations.”
Deep Instinct said it discovered the PhonyC2 framework in April 2023 on servers associated with the extensive infrastructure MuddyWater used in attacks targeting Technion earlier this year. The same server was also found to host his Ligolo, a go-to reverse tunneling tool used by threat actors.
This connection comes from the artifact names “C:\programdata\db.sqlite” and “C:\programdata\db.ps1”, which Microsoft describes as a customized PowerShell backdoor used by MuddyWater. , which is dynamically generated via the PhonyC2 framework for execution. on an infected host.
PhonyC2 is a “post-exploitation framework used to generate various payloads that await instructions from an operator who will connect back to the C2 and perform the final step in the ‘intrusion kill chain,'” Kenin said. , calling it the successor to MuddyC3, power stats.
Some of the notable commands supported by the framework are:
- payload: Generates payloads “C:\programdata\db.sqlite” and “C:\programdata\db.ps1” and a PowerShell command to run db.ps1, which in turn runs db.sqlite .
- drip: Creates different variants of PowerShell commands to generate ‘C:\programdata\db.sqlite’ by accessing the C2 server and writing the encoded content sent by the server to a file.
- Ex3 cut 3: creates different variants of the PowerShell command to generate “C:\programdata\db.ps1” (script containing logic to decode db.sqlite) and final stage.
- list: Enumerates all machines connected to the C2 server.
- set command for all: Execute the same command on all connected hosts simultaneously.
- use: Get a PowerShell shell on a remote computer to run more commands
- hold up: Generates PowerShell code that allows the operator to obtain persistence on the infected host, allowing it to reconnect to the server on reboot.
“This framework generates a variety of PowerShell payloads for operators,” Mark Vaitzman, Threat Research Team Lead at Deep Instinct, told The Hacker News. “The operator first needs access to the victim’s machine to execute them. Some of the payloads generated are connected back to operator C2 to enable persistence.”
Muddywater is not the only group of Iranian nation-states looking to Israel. In recent months, various organizations in the country have been targeted by at least three different actors, including Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).
“C2 is the bridge between the early and final stages of an attack,” Weizmann said. “For MuddyWater, C2 frameworks are very important because they can maintain stealth and collect data from victims. is not.”
