PhonyC2 – MuddyWater's New C2 (command & control) Center Uncovered

by Esmeralda McKenzie
PhonyC2 – MuddyWater's New C2 (command & control) Center Uncovered

PhonyC2 – MuddyWater's New C2 (command & control) Center Uncovered

PhonyC2 MuddyWater

Impartial currently, it has been chanced on by the protection analysts at Deep Instinct that MuddyWater (aka Mango Sandstorm and Mercury), an Iranian mumble-backed community, has been the employ of a unusual relate-and-protect watch over framework since 2021 that’s dubbed “PhonyC2.”

PhonyC2, an actively developed framework, became once extinct in the Technion attack (Feb 2023), and the MuddyWater keeps updating the PhonyC2 and bettering the TTPs to evade detection.

Leveraging social engineering, MuddyWater breaches patched programs as its main bag admission to level. The risk research workers of Deep Instinct chanced on three malicious PowerShell scripts in April 2023 at some level of the PhonyC2_v6.zip archive.

MuddyWater’s Recent PhonyC2

MuddyWater, a cyber espionage community linked to Iran’s MOIS since 2017, and Microsoft implicated them in antagonistic assaults on hybrid environments and collaboration with Storm-1084 for:-

  • Reconnaissance
  • Persistence
  • Lateral movement

Iran engages in strategic cyber operations, basically focusing on neighboring states, along side geopolitical opponents for intelligence collection. Here below, now we beget talked about the basically centered opponents:-

  • Israel
  • Saudi Arabia
  • Arabic Gulf countries

Alongside with the PhonyC2 zip file, Sicehice (An group automating cyber risk intelligence collection from 30+ sources and facilitating IP peep users.) shared more server info, along side the revealing “.bash_history” file with the completed instructions by the risk actors.

QmMw7lr2qlpCLfGNkJEYzQ5xzCJrfdN77u8aEQQ7V3RCsrQ6VdGtz5SVG8Qe1F4zawiWV8CvciBoRIBJ037TrDPE4jIH7BYKIG73y w39wJSiNH4vCLwnWFRw r4MLOhLscsSi DK78iguOhvviAGtk
Launch of .bash_history file (Offer – Deep Instinct)
VqNZpylaFzwnja5DNCP8D7CNyHy c QApIGfvmHqNnywLXGg uyebyfhvPZkBq5Q7FHf1PczgTSLPdMXOIUcL9v4bQZM LIPyKB7CwDU ztwrHMYAHiVGTUFHb9Q4agMQ09He3r2yt UHAg9zQsRzBU
Quit of .bash_history file (Offer – Deep Instinct)

Suspicion arises on account of identified MuddyWater instruments on the server and verbal exchange with their known IP addresses, suggesting PhonyC2 as their framework.

The community orchestrates attack chains the employ of vulnerable public servers and social engineering as main bag admission to formula to breach centered interests, the same to other Iran-linked intrusion objects.

BXiiuPMfYehkABi7 vqlHngLSAHl5k9FG460UJME7Cr769d0W3T6WGGIBbESbYsQ5ik7Q05oaTL1f7DZosIy7lZG1nhLnRs
Attack float (Offer – Deep Instinct)

Social engineering performs an valuable characteristic in Iranian APT tradecraft for cyber espionage and info operations. In April 2023, Deep Instinct chanced on the PhonyC2 framework on a server linked to MuddyWater’s broader infrastructure extinct in the Technion attack this one year.

PhonyC2, the most up-to-date model, is written in Python3, sharing structural and purposeful similarities with Python2-basically based MuddyC3, a outdated customized C2 framework by MuddyWater.

DrUx2d1ROhKqyemAX4MBUxFQt9M84usHwzmwjqrc4BbZfnxdH

MuddyC3 (Offer – Deep Instinct)

Artifact names “C:programdatadb.sqlite” and “C:programdatadb.ps1” connect with MuddyWater, and Microsoft labeled them as customized PowerShell backdoors. In distinction, these backdoors are dynamically generated through PhonyC2 for execution on the hosts that are contaminated.

PhonyC2, a put up-exploitation framework, generates payloads connecting to C2 for closing intrusion steps. The risk intel researcher, Simon Kenin notes that it’s a successor to MuddyC3 and POWERSTATS.

Supported Commands

Here below, now we beget talked about your total instructions that are supported by the framework:-

  • payload
  • droper
  • Ex3cut3
  • checklist
  • setcommandforall
  • employ
  • persist

The framework creates diverse PowerShell payloads for the operator, requiring initial bag admission to to the sufferer machine.

The C2 bridges the attack’s initial and closing phases, which is very valuable for MuddyWater’s stealth and info collection from victims. No longer splendid that even besides they make employ of more than one customized C2 frameworks in main assaults.

Source credit : cybersecuritynews.com

Related Posts