A beforehand unseen command-and-control (C2) framework referred to as PhonyC2 has been attributed to the Iranian state-sponsored group MuddyWater.
The custom-made, and constantly creating PhonyC2 was utilized by the risk actor to take advantage of the log4j vulnerability within the Israeli SysAid software program, the assault towards Technion, an Israeli establishment, and the continued assault towards the PaperCut print administration software program, based on a report by Deep Intuition.
“Originally of Might 2023, Microsoft’s Twitter submit talked about that they had noticed MuddyWater exploiting CVE-2023-27350 within the PaperCut print administration software program,” Deep Intuition stated in its report, including that whereas Microsoft didn’t share any new indicators, they famous that MuddyWater was utilizing instruments from prior intrusions to connect with their C2 infrastructure and referenced their weblog on the Technion hack, which the researchers already established was utilizing PhonyC2.
“About the identical time, Sophos revealed indicators from varied PaperCut intrusions they’ve seen. Deep Intuition discovered that two IP addresses from these intrusions are PhonyC2 servers based mostly on URL patterns,” Deep Intuition stated.
MuddyWater has been energetic since 2017 and is mostly believed to be a subordinate unit inside Iran’s Ministry of Intelligence and Safety. Its prime targets embrace Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage actions and mental property (IP) theft assaults; on some events, they’ve deployed ransomware on targets.
Customized-made PhonyC2
Three malicious PowerShell scripts that have been part of the archive of PhonyC2_v6.zip have been recognized in April by Deep Intuition.
