PhonyC2 MuddyWater

Recently, it has been found by the security analysts at Deep Instinct that MuddyWater (aka Mango Sandstorm and Mercury), an Iranian state-backed group, has been using a new command-and-control framework since 2021 that is dubbed “PhonyC2.”

PhonyC2, an actively developed framework, was used in the Technion attack (Feb 2023), and the MuddyWater keeps updating the PhonyC2 and modifying the TTPs to evade detection.

Leveraging social engineering, MuddyWater breaches patched systems as its primary access point. The threat research team of Deep Instinct discovered three malicious PowerShell scripts in April 2023 within the archive.

MuddyWater’s New PhonyC2

MuddyWater, a cyber espionage group linked to Iran’s MOIS since 2017, and Microsoft implicated them in destructive attacks on hybrid environments and collaboration with Storm-1084 for:-

  • Reconnaissance
  • Persistence
  • Lateral movement

Iran engages in strategic cyber operations, primarily targeting neighboring states, including geopolitical rivals for intelligence collection. Here below, we have mentioned the primarily focused rivals:-

  • Israel
  • Saudi Arabia
  • Arabic Gulf countries

Along with the PhonyC2 zip file, Sicehice (An organization automating cyber threat intelligence collection from 30+ sources and facilitating IP search for users.) shared more server files, including the revealing “.bash_history” file with the executed commands by the threat actors.

Start of .bash_history file (Source – Deep Instinct)
End of .bash_history file (Source – Deep Instinct)

Suspicion arises due to known MuddyWater tools on the server and communication with their recognized IP addresses, suggesting PhonyC2 as their framework.

The group orchestrates attack chains using vulnerable public servers and social engineering as primary access points to breach targeted interests, similar to other Iran-linked intrusion sets.

Attack flow (Source – Deep Instinct)

Social engineering plays a vital role in Iranian APT tradecraft for cyber espionage and information operations. In April 2023, Deep Instinct found the PhonyC2 framework on a server linked to MuddyWater’s broader infrastructure used in the Technion attack this year.

PhonyC2, the latest version, is written in Python3, sharing structural and functional similarities with Python2-based MuddyC3, a previous custom C2 framework by MuddyWater.

MuddyC3 (Source – Deep Instinct)

Artifact names “C:\programdata\db.sqlite” and “C:\programdata\db.ps1” connect to MuddyWater, and Microsoft labeled them as customized PowerShell backdoors. In contrast, these backdoors are dynamically generated through PhonyC2 for execution on the hosts that are infected.

PhonyC2, a post-exploitation framework, generates payloads connecting to C2 for final intrusion steps. The threat intel researcher, Simon Kenin notes that it’s a successor to MuddyC3 and POWERSTATS.  

Supported Commands

Here below, we have mentioned all the commands that are supported by the framework:-

  • payload
  • droper
  • Ex3cut3
  • list
  • setcommandforall
  • use
  • persist

The framework creates diverse PowerShell payloads for the operator, requiring initial access to the victim machine. 

The C2 bridges the attack’s initial and final phases, which is crucial for MuddyWater’s stealth and data collection from victims. Not only that even they also employ multiple custom C2 frameworks in major attacks.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.