Telecommunication companies operating in Egypt, Sudan, and Tanzania recently faced a targeted cyber-espionage campaign orchestrated by the Iranian group Seedworm, also known as Muddywater.
The attack, occurring in November 2023, utilized a variety of tools, including the recently uncovered MuddyC2Go infrastructure by Deep Instinct.
In this focused campaign, the attackers utilized an array of tools, including a custom keylogging tool, the SimpleHelp remote access tool, and Venom Proxy—previously associated with Seedworm activities.
Iranian Group Used MuddyC2Go
Analysts discovered the attack through PowerShell executions linked to the MuddyC2Go backdoor.
The Threat Hunter Team at Symantec unveiled that the MuddyC2Go launcher executed PowerShell code to establish a connection with its command-and-control (C&C) server. Subsequently, the attackers employed a scheduled task to launch the MuddyC2Go malware, coupled with standard instructions linked to the Impacket WMIExec hack tool.
Using the SimpleHelp remote access tool, the attackers established a connection to the C&C server at 146.70.124[.]102. Concurrently, PowerShell stager executions occurred alongside the deployment of the Revsocks tool.
The Iranian group also used a legitimate remote access application, AnyDesk. Additionally, they coupled this tool with MuddyC2Go-related PowerShell executions.
There is speculation surrounding the use of WMI by the attackers to initiate the SimpleHelp installer on the victim network earlier in 2023. While initially unable to link this behavior to Seedworm, it appears that the same group was responsible for the earlier activity.
Elevating Complexity: New Tools and Techniques
In a separate incident, the attackers introduced a new custom keylogger and executed a customized build of the Venom Proxy hack tool for added sophistication. SimpleHelp was employed for persistence on victim machines, underscoring the importance of vigilance regarding unusual PowerShell usage on business networks.
The MuddyC2Go executable’s embedded PowerShell script, automatically connecting to Seedworm’s C&C server, emphasizes the necessity for businesses to remain alert to any anomalous network activities.
