The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.
“While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant,” Deep Instinct security researcher Simon Kenin said in a technical report published last week.
MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.
Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.
The latest attack campaign, details of which were also previously revealed by Proofpoint last month, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software.
One of the URLs in question is “kinneretacil.egnyte[.]com,” where the subdomain “kinneretacil” refers to “kinneret.ac.il,” an educational institution in Israel and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country.
Lord Nemesis is suspected of being a “faketivist” operation directed against Israel. It’s also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup within Mint Sandstorm that’s backed by Iran’s Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury in September 2022.
“This is important because if ‘Lord Nemesis’ were able to breach Rashim’s email system, they might have breached the email systems of Rashim’s customers using the admin accounts that now we know they obtained from ‘Rashim,'” Kenin explained.
The web of connections has raised the possibility that MuddyWater may have used the email account associated with Kinneret to distribute the links, thereby giving the messages an illusion of trust and tricking the recipients into clicking them.
“While not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration between IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals,” Kenin further added.
The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 that are responsible for managing the infected endpoints. This is accomplished by means of PowerShell code designed to establish contact with the C2 server upon gaining initial access through other means.
According to independent findings from Palo Alto Networks Unit 42, the threat actor has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain.
The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework. The cybersecurity firm said the technique was put to use in a cyber attack aimed at an unnamed Middle East target.
Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via the spear-phishing email and leveraging DLL side-loading to execute a malicious library.
A successful contact allows the infected host to receive PowerShell responses that, for its part, fetches two more PowerShell scripts from the same server.
While one of the scripts is designed to read the contents of a file named “C:\ProgramData\SysInt.log” and transmit them to the C2 server via an HTTP POST request, the second script periodically polls the server to obtain additional payloads and writes the results of the execution to “SysInt.log.” The exact nature of the next-stage payload is currently unknown.
“This framework is similar to the previous C2 frameworks used by MuddyWater,” Kenin said. “PowerShell remains their ‘bread and butter.'”
Curious Serpens Targets Defense Sector with FalseFont Backdoor
The disclosure comes as Unit 42 unpacked the inner workings of a backdoor called FalseFont that’s used by an Iranian threat actor known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the aerospace and defense sectors.
“The threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor,” security researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing FalseFont as “highly targeted.”
Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format.
The implant, besides its graphical user interface (GUI) component for user inputs, also stealthily activates a second component in the background that establishes persistence on the system, gathers system metadata, and executes commands and processes sent from the C2 server.
Other features of FalseFont include the ability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.