MuddyWater, an Iranian threat actor, has used a novel command-and-control (C2) infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.
In a recent technical study, Deep Instinct security researcher Simon Kenin stated that, despite periodic modifications in remote administration tools or changes in C2 frameworks, MuddyWater's strategies consistently follow a pattern.
MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is linked to Iran's Ministry of Intelligence and Security (MOIS) and has been operational since at least 2017. The group orchestrates spear-phishing attacks, which result in the installation authorised Remote Monitoring and Management (RMM) solutions on compromised systems.
Prior intelligence from Microsoft connects the group to another Iranian threat cluster known as Storm-1084 (also known as DarkBit), which has been involved in devastating wiper assaults against Israeli entities.
The latest attack, which Proofpoint revealed last month, starts off with spear-phishing emails sent from compromised accounts. These emails include links or attachments hosted on services such as Egnyte, which facilitate the distribution of the Atera Agent software.
One of the URLs used is "kinneretacil.egnyte[.]com," with the subdomain "kinneretacil" referring to "kinneret.ac.il," an Israeli educational institution.
Lord Nemesis (also known as Nemesis Kitten or TunnelVision) targeted a Rashim customer's supply chain.
Lord Nemesis, who is accused of orchestrating operations against Israel, is employed by Najee Technology, a private contracting company linked to Iran's Islamic Revolutionary Guard Corps (IRGC).
Kenin underlined the possible consequences of Rashim's breach, claiming that Lord Nemesis might have exploited the compromised email system to target Rashim's customers, giving the phishing emails a veneer of authenticity.
Although solid proof is missing, the timing and context of events indicate a possible coordination between the IRGC and MOIS to cause serious harm to Israeli entities.
Notably, the attacks leverage a collection of domains and IP addresses known as DarkBeatC2 to manage compromised endpoints. This is done using PowerShell code that creates communication with the C2 server after initial access.
According to independent research by Palo Alto Networks Unit 42, MuddyWater used the Windows Registry's AutodialDLL function to sideload a malicious DLL and make connections with DarkBeatC2 domains.
This method entails creating persistence via a scheduled task that uses PowerShell to exploit the AutodialDLL registry entry and load the DLL for the C2 framework.
MuddyWater's other approaches include sending a first-stage payload via spear-phishing emails and using DLL side-loading to execute malicious libraries.
Upon successful communication, the infected machine receives PowerShell responses and downloads two further PowerShell scripts from the server. One script reads the contents of a file called "C:\ProgramData\SysInt.log" and sends them to the C2 server via an HTTP POST request, while the second script polls the server on a regular basis for new payloads.
The particular nature of the subsequent payload is unknown, but Kenin emphasised that PowerShell remains critical to MuddyWater's operations.