A new command-and-control (C2) framework known as PhonyC2 has been linked to MuddyWater, an Iranian state-sponsored hacking group. This custom-made framework has been actively used by MuddyWater to target various organizations and exploit vulnerabilities in software systems.
According to a report by cybersecurity firm Deep Instinct, PhonyC2 was utilized by MuddyWater to take advantage of the log4j vulnerability in the Israeli SysAid software. This attack was part of a larger campaign that also targeted Technion, an Israeli institution, and the ongoing attack against the PaperCut print management software.
The discovery of MuddyWater’s use of PhonyC2 came after Microsoft noted in a Twitter post that the group had been exploiting a different vulnerability in the PaperCut software. While Microsoft did not provide any new indicators, they referenced their blog on the Technion hack, which Deep Instinct had already linked to PhonyC2.
Deep Instinct further revealed that Sophos had published indicators from various PaperCut intrusions they had observed. Through their analysis, Deep Instinct identified two IP addresses from these intrusions that were found to be PhonyC2 servers based on URL patterns.
MuddyWater, an active hacking group since 2017, is widely believed to be a subordinate unit within Iran’s Ministry of Intelligence and Security. The group’s primary targets include countries such as Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. MuddyWater is primarily known for its cyberespionage activities and theft of intellectual property (IP), although they have also been known to deploy ransomware on occasion.
One of the key findings from Deep Instinct’s report was the identification of three malicious PowerShell scripts that were part of the PhonyC2_v6.zip archive. These scripts were discovered in April and provided further insights into the capabilities of the PhonyC2 framework.
PhonyC2 is a custom-made C2 framework that has been continuously developed by MuddyWater. The framework allows the threat actors to maintain control over compromised systems and facilitate their malicious activities. By using PhonyC2, MuddyWater can navigate through networks undetected and exfiltrate sensitive information.
The discovery of PhonyC2 highlights the sophistication and persistence of MuddyWater as an Iranian state-sponsored hacking group. They have demonstrated their ability to exploit vulnerabilities in software systems and target organizations across multiple countries.
To protect against these types of attacks, organizations need to ensure they have robust cybersecurity measures in place. This includes regularly updating software and systems to patch any known vulnerabilities, implementing strong access controls and user authentication protocols, and monitoring network traffic for any suspicious activity.
As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and proactive in their cybersecurity practices. By investing in advanced threat detection and response capabilities, organizations can better defend against sophisticated attacks such as those carried out by MuddyWater using the PhonyC2 framework.