The Iranian condition-sponsored group dubbed MuddyWater has been attributed to a formerly unseen command-and-command (C2) framework identified as PhonyC2 that is been set to use by the actor considering the fact that 2021.
Proof exhibits that the customized designed, actively created framework has been leveraged in the February 2023 attack on Technion, an Israeli analysis institute, cybersecurity organization Deep Instinct explained in a report shared with The Hacker Information.
What’s extra, added inbound links have been unearthed in between the Python 3-centered software and other attacks carried out by MuddyWater, which includes the ongoing exploitation of PaperCut servers.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“It is structurally and functionally similar to MuddyC3, a prior MuddyWater personalized C2 framework that was created in Python 2,” security researcher Simon Kenin mentioned. “MuddyWater is repeatedly updating the PhonyC2 framework and switching TTPs to steer clear of detection.”
MuddyWater, also recognised as Mango Sandstorm (beforehand Mercury), is a cyber espionage group that is acknowledged to function on behalf of Iran’s Ministry of Intelligence and Security (MOIS) given that at least 2017.
The findings get there approximately three months soon after Microsoft implicated the danger actor for carrying out damaging attacks on hybrid environments, when also contacting out its collaboration with a connected cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral movement.
“Iran conducts cyber functions aiming at intelligence collection for strategic purposes, essentially targeting neighboring states, in particular Iran’s geopolitical rivals these types of as Israel, Saudi Arabia, and Arabic Gulf nations, a ongoing focus observed in all operations considering that 2011,” French cybersecurity organization Sekoia said in an overview of pro-Iranian authorities cyber attacks.
Attack chains orchestrated by the group, like other Iran-nexus intrusion sets, employ vulnerable public-dealing with servers and social engineering as the main original entry factors to breach targets of curiosity.
“These involve the use of charismatic sock puppets, the entice of potential career opportunities, solicitation by journalists, and masquerading as believe tank specialists in search of views,” Recorded Potential pointed out past calendar year. “The use of social engineering is a central part of Iranian APT tradecraft when participating in cyber espionage and info functions.”
Deep Intuition said it identified the PhonyC2 framework in April 2023 on a server that is related to broader infrastructure put to use by MuddyWater in its attack concentrating on Technion earlier this calendar year. The same server was also found to host Ligolo, a staple reverse tunneling tool used by the danger actor.
The connection stems from the artifact names “C:programdatadb.sqlite” and “C:programdatadb.ps1,” which Microsoft described as customized PowerShell backdoors utilized by MuddyWater and which are dynamically created through the PhonyC2 framework for execution on the contaminated host.
PhonyC2 is a “article-exploitation framework utilised to make a variety of payloads that link back again to the C2 and hold out for instructions from the operator to conduct the remaining action of the ‘intrusion kill chain,'” Kenin mentioned, calling it a successor to MuddyC3 and POWERSTATS.
Some of the the noteworthy instructions supported by the framework are as follows –
- payload: Deliver the payloads “C:programdatadb.sqlite” and “C:programdatadb.ps1” as nicely as a PowerShell command to execute db.ps1, which, in flip, executes db.sqlite
- droper: Generate various variants of PowerShell commands to generate “C:programdatadb.sqlite” by reaching out to the C2 server and creating the encoded contents despatched by the server to the file
- Ex3cut3: Generate distinctive variants of PowerShell commands to create “C:programdatadb.ps1” — a script that is made up of the logic to decode db.sqlite — and the closing-phase
- listing: Enumerate all linked equipment to the C2 server
- setcommandforall: Execute the identical command throughout all related hosts concurrently
- use: Get a PowerShell shell on a distant personal computer
- persist: Create a PowerShell code to help the operator to get persistence on the contaminated host so it will connect back to the server on a restart
Muddywater is considerably from the only Iranian nation-condition group to teach its eyes on Israel. In latest months, many entities in the place have been qualified by at minimum three distinct actors this sort of as Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).
Identified this posting intriguing? Observe us on Twitter and LinkedIn to examine far more exclusive content we put up.
Some components of this write-up are sourced from:
thehackernews.com