Summary:
MuddyWater, also known as Mango Sandstorm (Mercury), is a cyber espionage group operating under the Iranian Ministry of Intelligence and Security (MOIS). Recently, a new command and control (C2) framework called PhonyC2 has been discovered, which has been actively used by MuddyWater since at least 2021. The framework, similar to their previous creation MuddyC3, is continuously developed and has been utilized in attacks such as the Technion Institute and the ongoing PaperCut exploitation campaign. MuddyWater employs social engineering techniques as their primary method of initial access, making it crucial for organizations to strengthen their systems and monitor PowerShell activity to detect and prevent their attacks.
Infection Chain
The investigation includes a closer look at the code and its functionalities. The PhonyC2 framework is a post-exploitation tool used to generate payloads that connect back to the command and control (C2) server for further instructions in the intrusion process. The framework utilizes various techniques to achieve persistence on compromised hosts, including writing encrypted payloads to the Windows registry and executing scripts at startup. The research also uncovers connections between PhonyC2 and previous MuddyWater activities. The IP addresses associated with PhonyC2 have been identified in reports by Microsoft and other security firms as C2 servers used by MuddyWater. The analysis indicates that PhonyC2 is a successor to MuddyC3 and POWERSTATS, and it shares structural and functional similarities with these frameworks.
Furthermore, the investigation highlights additional IP addresses and domains that are potentially linked to MuddyWater's operations. The use of certain strings, such as "apiy7" and "core," in the code and infrastructure further supports the connection to MuddyWater. The threat group has been observed exploiting vulnerabilities in software like SysAid and PaperCut, using tools from previous intrusions to connect to their C2 infrastructure. Overall, the analysis suggests that PhonyC2 is a tool employed by MuddyWater for conducting targeted attacks and maintaining persistence on compromised systems. The threat group continues to evolve the framework and change tactics to evade detection.
Threat Profile:
| Tactic | Technique Id | Technique |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1547 | Boot or Logon AutoStart Execution |
| Defense Evasion | T1564 | Hide Artifacts |
| T1070 | Indicator Removal | |
| T1112 | Modify Registry | |
| Command and Control | T1071 | Application Layer Protocol |
| T1132 | Data Encoding | |
| T1105 | Ingress Tool Transfer |
References:
The following reports contain further technical details:
https://thehackernews.com/2023/06/from-muddyc3-to-phonyc2-irans.html