Adrian Johnson
TLDR:
Iranian MuddyWater hackers have adopted a new C2 tool called DarkBeatC2 in their latest campaign. This tool is the latest addition to their arsenal, which already includes SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017. The group orchestrates spear-phishing attacks that lead to deploying Remote Monitoring and Management solutions on compromised systems.
The latest attack campaign involves spear-phishing emails sent from compromised accounts containing links or attachments hosted on services like Egnyte to deliver the Atera Agent software. The campaign is suspected to be a collaboration between IRGC and MOIS to target Israeli organizations and individuals. MuddyWater’s C2 framework, DarkBeatC2, manages infected endpoints using PowerShell code to establish contact with the C2 server.
Full Article:
The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. The group is known to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.
The latest attack campaign commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software. One of the URLs in question is associated with an educational institution in Israel, which was breached by a group targeting the academic sector in the country. The attacks are notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 to manage the infected endpoints.
MuddyWater’s C2 framework involves establishing persistence through PowerShell code that reaches out to the C2 server upon gaining initial access through other means. The group has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain. The cybersecurity firm Palo Alto Networks Unit 42 reported that the technique was used in a cyber attack aimed at a Middle East target.
Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via spear-phishing email and leveraging DLL side-loading to execute a malicious library. The interactions with the C2 server involve PowerShell scripts that fetch and transmit data and payloads, ultimately remaining persistent via the C2 framework.
