The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that’s been put to use by the actor since 2021.
Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News.
What’s more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers.
“It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework that was written in Python 2,” security researcher Simon Kenin said. “MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection.”
MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber espionage group that’s known to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS) since at least 2017.
The findings arrive nearly three months after Microsoft implicated the threat actor for carrying out destructive attacks on hybrid environments, while also calling out its collaboration with a related cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral movement.
images from Hacker News