The hacker group known as MuddyWater was attributed to a new command and control (C2) infrastructure called DarkBeatC2, becoming the last such tool in his arsenal after that SimpleHarm, MuddyC3PhonyC2 e MuddyC2Go.
How the MuddyWater hacker group's Command and Control (C2) campaign happened
“While they occasionally move to a new remote administration tool or change their C2 framework, MuddyWater's methods remain constant“, has said Deep Instinct security researcher Simon Kenin in a technical report published last week.
MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is reported to be affiliated with Iran's Ministry of Intelligence and Security (MOIS); MuddyWater has been known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate remote monitoring and management (RMM) solutions on compromised systems.
Previous findings from Microsoft show that the MuddyWater group has ties to another Iranian threat activity cluster tracked as Storm-1084 (also known as DarkBit), with the latter exploiting the access to orchestrate destructive wiper attacks against Israeli entities.
The latest attack campaign, the details of which were also revealed previously by Proofpoint last month, starts with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services such as Egnyte to deliver Atera Agent software.
One of the URLs in question is “kinneretacil.egnyte[.]com“, where the subdomain “kinneretacil” refers to “kinneret.ac.il”, an educational institute in Israel and client of Rashim, which in turn was compromised by Lord Nemesis (also known as Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the country's academic sector.
Lord Nemesis, like MuddyWater, is suspected of being a “faketivist” operation directed against Israel and it is also important to note that Nemesis Kitten is a private procurement company called Najee Technology, a subgroup within Mint Sandstorm backed by Iran's Islamic Revolutionary Guard Corps (IRGC); the company was sanctioned by the US Treasury Department in September 2022.
“This is important because if 'Lord Nemesis' had managed to hack into Rashim's email system, they may have hacked into Rashim's clients' email systems using administrative accounts which we now know they got from 'Rashim'” Kenin explained.
The network of connections raised the possibility that MuddyWater may have used the email account associated with Kinneret to distribute the links, thus giving messages an illusion of trust and tricking recipients into clicking them.
“While not conclusive, the time frame and context of events point to a possible handover or collaboration between the IRGC and MOIS to inflict the maximum possible damage on Israeli organizations and individuals“, Kenin added.
The attacks are also notable for relying on a set of domains and IP addresses collectively referred to as DarkBeatC2, responsible for managing infected end points and this is accomplished using PowerShell code designed to establish contact with the C2 server after gaining initial access through other means.
Second independent results of Palo Alto Networks Unit 42, the hacker group was observed abusing the feature Windows Registry AutodialDLL to sideload a malicious DLL and ultimately establish connections with a DarkBeatC2 domain.
The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to exploit the AutodialDLL registry key and load the DLL for the C2 framework; the cybersecurity firm said the technique was used in a cyber attack aimed at an unspecified target in the Middle East.
Other methods used by MuddyWater to establish a C2 connection include the use of a delivered first stage payload via spear-phishing emails and exploiting DLL sideloading to execute a malicious library.
A successful contact allows the infected host to receive PowerShell responses which, in turn, download two more PowerShell scripts from the same server.
While one of the scripts is designed to read the contents of a file called “C:ProgramDataSysInt.log” and transmit it to the C2 server via an HTTP POST request, the second script periodically queries the server for other payloads and writes the results of execution on “SysInt.log”; however the exact nature of the next-stage payload remains currently unknown.
“This framework is similar to previous C2 frameworks used by MuddyWater“Kenin said. “PowerShell remains their 'bread and butter'.“
The hacker group Curious Serpens targets the defense sector via BackDoor FalseFront
Further disclosure comes as Palo Alto Networks Unit 42 analyzed the inner workings of a backdoor called FalseFontused by an Iranian cybercriminal known as Peach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the aerospace and defense industries.
“Cybercriminals mimic legitimate HR software, using a fake job recruitment process to trick victims into installing the backdoor“, they have said security researchers Tom Fakterman, Daniel Frank and Jerome Tujague, describing FalseFont as “highly targeted”.
Once installed, it presents a login interface that pretends to be an aerospace company and captures credentials as well as educational and work history entered by the victim into a C2 server controlled by cybercriminals in JSON format.
L'plantin addition to its graphical user interface (GUI) component for user input, stealthily activates a second component in the background that establishes persistence on the system, collects system metadata and executes commands and processes sent by the C2 server.
Other features of FalseFont include the ability to download and upload files, steal credentials, take screenshots, kill specific processes, execute PowerShell commands, and update the malware itself.
#MuddyWater #hacker #group #DarkBeatC2 #tools