Recent cybersecurity investigations reveal that Iranian state-sponsored actors have employed a novel command-and-control (C2) framework identified as MuddyC2Go. This development is part of ongoing cyber assaults directed at Israel, heightening concerns regarding the threat landscape in the region.
Security researcher Simon Kenin from Deep Instinct outlined in a report released on Wednesday that the web component of the MuddyC2Go framework is constructed using the Go programming language. This framework is believed to have been utilized by the hacking group known as MuddyWater, which is linked to Iran’s Ministry of Intelligence and Security (MOIS) and has been consistently active in orchestrating cyber operations.
Deep Instinct posits that MuddyC2Go may have been operational since early 2020, representing an evolution from the previously utilized PhonyC2 platform. Notable changes in strategy were observed as the group shifted tactics amidst emerging security disclosures, opting to utilize this new framework in recent operations.
The modus operandi attributed to MuddyWater typically involves spear-phishing campaigns, where targeted individuals receive emails containing malware-laden attachments or false hyperlinks, facilitating the deployment of legitimate remote administration software. The adoption of such techniques speaks to the broader tactics outlined within the MITRE ATT&CK Framework, particularly in areas concerning initial access and persistence.
As part of the attack sequence, the installation of remote administration tools allows for the subsequent delivery of additional malicious payloads, such as PhonyC2. However, recent advancements indicate a shift in tactics; MuddyWater has begun utilizing password-protected archives to bypass conventional email security barriers, distributing executable files rather than traditional remote tools.
According to Kenin, these executables contain embedded PowerShell scripts designed to automatically connect to the MuddyC2Go servers, thus eliminating reliance on manual execution by operators. This automated connection mechanism enables continuous command execution, with scripts checking every ten seconds for new commands while remaining stealthy in operation.
While the comprehensive capabilities of MuddyC2Go remain uncertain, experts suggest it is likely designed for generating PowerShell payloads to facilitate post-exploitation activities. Kenin emphasizes the importance of mitigating risk by disabling PowerShell when not in use and maintaining vigilant oversight of any PowerShell activity should it be enabled.
The ongoing activities of MuddyWater and the emergence of MuddyC2Go exemplify the evolving tactics employed by nations to conduct cyber operations. As organizations continue to face increasing threats from state-sponsored threats, understanding these adaptive methodologies becomes crucial for implementing effective cybersecurity measures. Companies must remain vigilant and proactive in fortifying their defenses against such sophisticated adversaries.
