Cyber Security News

PhonyC2 – MuddyWater’s New C2 (command & control) Center Uncovered

Recently, it has been found by the security analysts at Deep Instinct that MuddyWater (aka Mango Sandstorm and Mercury), an Iranian state-backed group, has been using a new command-and-control framework since 2021 that is dubbed “PhonyC2.”

PhonyC2, an actively developed framework, was used in the Technion attack (Feb 2023), and the MuddyWater keeps updating the PhonyC2 and modifying the TTPs to evade detection.

Leveraging social engineering, MuddyWater breaches patched systems as its primary access point. The threat research team of Deep Instinct discovered three malicious PowerShell scripts in April 2023 within the PhonyC2_v6.zip archive.

MuddyWater’s New PhonyC2

MuddyWater, a cyber espionage group linked to Iran’s MOIS since 2017, and Microsoft implicated them in destructive attacks on hybrid environments and collaboration with Storm-1084 for:-

  • Reconnaissance
  • Persistence
  • Lateral movement

Iran engages in strategic cyber operations, primarily targeting neighboring states, including geopolitical rivals for intelligence collection. Here below, we have mentioned the primarily focused rivals:-

  • Israel
  • Saudi Arabia
  • Arabic Gulf countries

Along with the PhonyC2 zip file, Sicehice (An organization automating cyber threat intelligence collection from 30+ sources and facilitating IP search for users.) shared more server files, including the revealing “.bash_history” file with the executed commands by the threat actors.

Start of .bash_history file (Source – Deep Instinct)
End of .bash_history file (Source – Deep Instinct)

Suspicion arises due to known MuddyWater tools on the server and communication with their recognized IP addresses, suggesting PhonyC2 as their framework.

The group orchestrates attack chains using vulnerable public servers and social engineering as primary access points to breach targeted interests, similar to other Iran-linked intrusion sets.

Attack flow (Source – Deep Instinct)

Social engineering plays a vital role in Iranian APT tradecraft for cyber espionage and information operations. In April 2023, Deep Instinct found the PhonyC2 framework on a server linked to MuddyWater’s broader infrastructure used in the Technion attack this year.

PhonyC2, the latest version, is written in Python3, sharing structural and functional similarities with Python2-based MuddyC3, a previous custom C2 framework by MuddyWater.

MuddyC3 (Source – Deep Instinct)

Artifact names “C:\programdata\db.sqlite” and “C:\programdata\db.ps1” connect to MuddyWater, and Microsoft labeled them as customized PowerShell backdoors. In contrast, these backdoors are dynamically generated through PhonyC2 for execution on the hosts that are infected.

PhonyC2, a post-exploitation framework, generates payloads connecting to C2 for final intrusion steps. The threat intel researcher, Simon Kenin notes that it’s a successor to MuddyC3 and POWERSTATS.  

Supported Commands

Here below, we have mentioned all the commands that are supported by the framework:-

  • payload
  • droper
  • Ex3cut3
  • list
  • setcommandforall
  • use
  • persist

The framework creates diverse PowerShell payloads for the operator, requiring initial access to the victim machine. 

The C2 bridges the attack’s initial and final phases, which is crucial for MuddyWater’s stealth and data collection from victims. Not only that even they also employ multiple custom C2 frameworks in major attacks.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Guru

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

6 mins ago

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

18 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

19 hours ago