Deep Instinct Reveals Iranian APT MuddyWater’s Latest Cyber-weapon: MuddyC2Go

Recently, Deep Instinct’s Threat Research team unveiled new stratagems from the elusive MuddyWater APT group, notorious for its sophisticated cyber-espionage activities.

Previously, Deep Instinct had exposed “PhonyC2,” a custom command and control (C2) tool leveraged by MuddyWater. However, after this revelation, a new C2 framework christened “MuddyC2Go” entered the field. This discovery was made after two IP addresses associated with MuddyWater showed an unexpected transition from hosting PhonyC2 to delivering a PowerShell payload.

MuddyWater APT group has long employed spear-phishing techniques to infiltrate systems, often utilizing archives with seemingly benign remote administration tools. The twist in their recent tactics? These archives are now password-protected, a sly move to slip past email security solutions. What’s more, the traditional manual operation by the attackers to execute a PowerShell script has been substituted with an executable that automates the connection to the MuddyC2Go server.

July 2023 marked an insidious attack against a Jordanian company with the use of an executable masquerading as a benign file named “offtec.exe.” Similarly, in September, a targeted attack against an Iraqi telecommunications provider was executed via password-protected archives uploaded from Iraq. October witnessed a possible strike against Israel, coinciding with geopolitical tensions in the region.

Deep Instinct’s investigations have traced MuddyWater’s use of the Go programming language for crafting their malware, suggesting a heightened level of sophistication. The group’s utilization of a Go-based C2 framework dates back to the beginning of 2020, with a trail of evidence including malicious Excel files and unique URL patterns leading back to their servers.

Given MuddyWater’s adept use of PowerShell, Deep Instinct recommends disabling PowerShell if it is unnecessary for organizational operations. If PowerShell is required, they urge vigilant monitoring of all PowerShell activity to prevent malicious exploits.

While identifying the MuddyC2Go framework is a challenging task due to its generic web application appearance, the unique URL patterns it generates have helped unveil its usage since 2020. All known active servers for MuddyC2Go have been traced to “Stark Industries,” a VPS provider with a history of hosting malicious activities.

In the wake of these findings, Deep Instinct has unearthed additional suspected MuddyC2Go servers at Stark Industries. These discoveries underscore the continuous evolution of threat actors and the importance of proactive cybersecurity measures.

As cyber threats like MuddyWater ripple across the digital landscape, the global community is reminded of the imperative need for constant vigilance and advanced threat detection methods. In this cat-and-mouse game, the stakes are high, and the waters are indeed muddy, but with cutting-edge research and robust defenses, cybersecurity professionals stand guard, ready to repel the advancing tides of cyber threats.