A previously unseen command-and-control (C2) framework called PhonyC2 has been attributed to the Iranian state-sponsored group MuddyWater.
The custom-made, and continuously developing PhonyC2 was used by the threat actor to exploit the log4j vulnerability in the Israeli SysAid software, the attack against Technion, an Israeli institution, and the ongoing attack against the PaperCut print management software, according to a report by Deep Instinct.
“At the beginning of May 2023, Microsoft’s Twitter post mentioned they had observed MuddyWater exploiting CVE-2023-27350 in the PaperCut print management software,” Deep Instinct said in its report, adding that while Microsoft did not share any new indicators, they noted that MuddyWater was using tools from prior intrusions to connect to their C2 infrastructure and referenced their blog on the Technion hack, which the researchers already established was using PhonyC2.
“About the same time, Sophos published indicators from various PaperCut intrusions they have seen. Deep Instinct found that two IP addresses from those intrusions are PhonyC2 servers based on URL patterns,” Deep Instinct said.
MuddyWater has been active since 2017 and is generally believed to be a subordinate unit within Iran’s Ministry of Intelligence and Security. Its top targets include Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage activities and intellectual property (IP) theft attacks; on some occasions, they have deployed ransomware on targets.
Custom-made PhonyC2
Three malicious PowerShell scripts that were a part of the archive of PhonyC2_v6.zip were identified in April by Deep Instinct.
