The Iranian threat actor identified as MuddyWater has incorporated a novel command-and-control (C2) infrastructure termed DarkBeatC2 into its latest campaign. This tool joins a series of previously employed systems such as SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.
Deep Instinct security researcher Simon Kenin noted in a recent technical report that despite occasional shifts in remote administration tools or alterations in C2 frameworks, MuddyWater’s tactics persistently adhere to a consistent pattern.
Associated with Iran’s Ministry of Intelligence and Security (MOIS), MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, has been active since at least 2017. The group orchestrates spear-phishing assaults resulting in the deployment of legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.
Prior intelligence from Microsoft links the group to another Iranian threat cluster identified as Storm-1084 (also known as DarkBit), which has been involved in conducting destructive wiper attacks against Israeli entities.
The latest campaign, which Proofpoint disclosed last month, starts with spear-phishing emails dispatched from compromised accounts. These emails contain links or attachments hosted on platforms like Egnyte, facilitating the distribution of the Atera Agent software.
One of the URLs used is “kinneretacil.egnyte[.]com,” where the subdomain “kinneretacil” pertains to “kinneret.ac.il,” an Israeli educational institution. This institution, a Rashim customer, fell victim to a supply chain attack perpetrated by Lord Nemesis (also known as Nemesis Kitten or TunnelVision).
Lord Nemesis, suspected of conducting operations against Israel, operates under the umbrella of Najee Technology, a private contracting company affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
Kenin highlighted the potential implications of Rashim’s breach, suggesting that Lord Nemesis might have exploited the compromised email system to target Rashim’s customers, thus imparting a veneer of legitimacy to the phishing emails.
Although conclusive evidence is lacking, the temporal and contextual alignment of events suggests a possible collaboration between IRGC and MOIS to inflict significant harm on Israeli entities.
Notably, the attacks rely on a suite of domains and IP addresses collectively termed DarkBeatC2 for managing infected endpoints. This is achieved through PowerShell code that establishes contact with the C2 server following initial access.
Palo Alto Networks Unit 42’s independent research reveals MuddyWater’s exploitation of the Windows Registry’s AutodialDLL function to sideload a malicious DLL and establish connections with DarkBeatC2 domains.
This method involves establishing persistence via a scheduled task utilizing PowerShell to exploit the AutodialDLL registry key and load the DLL for the C2 framework.
Other techniques employed by MuddyWater include delivering a first-stage payload via spear-phishing emails and leveraging DLL side-loading for executing a malicious library.
Upon successful contact, the infected host receives PowerShell responses, fetching two additional PowerShell scripts from the server. One script reads the contents of a file named “C:\ProgramData\SysInt.log” and transmits them to the C2 server via an HTTP POST request, while the second script periodically polls the server for additional payloads.
The specific nature of the subsequent payload remains unknown, but Kenin emphasized that PowerShell remains integral to MuddyWater’s operations.
In a separate development, Unit 42 uncovered details about FalseFont, a backdoor employed by the Iranian threat actor Peach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten) targeting the aerospace and defense sectors.
FalseFont masquerades as legitimate human resources software, enticing victims through a fabricated job recruitment process. Upon installation, it captures credentials, educational and employment history, transmitting this data to a C2 server controlled by threat actors.
Additionally, FalseFont features capabilities such as file download/upload, credential theft, screenshot capture, process termination, PowerShell command execution, and self-updating functionality.
