The Iranian state-sponsored group was dubbed muddy water has been associated with a previously unseen command-and-control (C2) framework called FakeC2 which the actor has been using since 2021.
Evidence shows that a purpose-built and actively developed framework was leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a statement. report shared with The Hacker News.
What’s more, additional links have been dug between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploit of the PaperCut server.
“It is structurally and functionally similar to muddyC3MuddyWater before custom C2 framework written in Python 2,” said security researcher Simon Kenin. “MuddyWater continually updates the PhonyC2 framework and changes the TTP to avoid detection.”
MuddyWater, also known as Mango Sandstorm (formerly Mercury), is a cyber espionage group known to be operating on behalf of Iran’s Ministry of Intelligence and Security (MOIS) since at least 2017.
The findings come nearly three months after Microsoft engaged threat actors to carry out destructive attacks on hybrid environments, while also calling for its collaboration with a related cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for recon, persistence, and sideways.
“Iran conducts cyber operations aimed at gathering intelligence for strategic purposes, essentially targeting neighboring countries, in particular Iran’s geopolitical rivals such as Israel, Saudi Arabia, and Arab Gulf states, a continued focus observed in all operations since 2011,” the company said. French cyber security, Sekoia said in an overview of Iran’s pro-government cyber attacks.
The chain of attacks orchestrated by the group, like other Iranian nexus intrusion sets, uses public-facing servers and vulnerable social engineering as the main initial access point to penetrate targets of interest.
“This includes the use of charismatic sock puppets, the lure of prospective job opportunities, solicitation by journalists, and posing as a think tank expert seeking opinion,” Recorded Future noted last year. “The use of social engineering is a major component of Iran’s APT trade when engaging in cyber espionage and information operations.”
Deep Instinct says it discovered the PhonyC2 framework in April 2023 on servers related to the broader infrastructure used by MuddyWater in its attack targeting Technion earlier this year. The same server was also found to host Ligolo, a principal tunneling tool used by threat actors.
The connection comes from the artifact names “C:\programdata\db.sqlite” and “C:\programdata\db.ps1,” which Microsoft explained as a customized PowerShell backdoor used by MuddyWater and which is generated dynamically via the PhonyC2 framework to be executed on the infected host.
PhonyC2 is “a post-exploit framework used to generate various payloads that link back to C2 and wait for instructions from the operator to perform the final step of the ‘intrusion killing chain,'” Kenin said, calling it the successor to MuddyC3 and POWERSTAT.
Some of the important commands supported by the framework are as follows −
- payload: Generate payloads “C:\programdata\db.sqlite” and “C:\programdata\db.ps1” as well as PowerShell commands to execute db.ps1, which, in turn, executes db.sqlite
- drops: Create a different variant of the PowerShell command to generate “C:\programdata\db.sqlite” by reaching the C2 server and writing the encoded content sent by the server to a file
- Ex3cut3: Create a different variant of the PowerShell command to output “C:\programdata\db.ps1” — a script that contains the logic to decode db.sqlite — and the final step
- list: Enumerate all machines connected to server C2
- setcommandforall: Execute the same command on all connected hosts simultaneously
- use: Get a PowerShell shell on the remote computer to run more commands
- endure: Generate PowerShell code to allow the operator to gain persistence on the infected host so it will reconnect to the server on restart
“This framework creates a different PowerShell payload for operators,” Mark Vaitzman, threat research team leader at Deep Instinct told The Hacker News. “The operator needs to have initial access to the victim machine in order to execute it. Some of the payloads generated are linked back to the C2 operator to allow persistence.”
Muddywater is far from the only Iranian nation-state group to focus its attention on Israel. In recent months, various entities in the country have been targeted by at least three different actors such as Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).
“It’s C2 that connects the initial phase of the attack to the final step,” says Vaitzman. “For MuddyWater, the C2 framework was critical because it allowed them to remain silent and collect data from victims. This would not be the first or last dedicated C2 framework they used during a major attack.”