November 9, 2023 at 06:39AM
Iranian state-sponsored hacking group MuddyWater is using a new command-and-control framework called MuddyC2Go in attacks targeting Israel. The framework, written in Go programming language, is believed to have been in use since early 2020. MuddyC2Go generates PowerShell payloads for post-exploitation activities, and experts recommend close monitoring of PowerShell activity.
Key Takeaways from Meeting Notes:
– Iranian nation-state actors have been using a previously undocumented command-and-control (C2) framework called MuddyC2Go in cyber attacks targeting Israel.
– The web component of the framework is written in the Go programming language.
– MuddyC2Go is attributed to MuddyWater, an Iranian state-sponsored hacking group associated with the Ministry of Intelligence and Security (MOIS).
– The C2 framework may have been in use since early 2020 and has replaced PhonyC2, another MuddyWater platform.
– Previous attack sequences involved spear-phishing emails with malware-laced archives or deceptive links that lead to the deployment of remote administration tools.
– MuddyWater has now started using password-protected archives and distributing an executable with an embedded PowerShell script instead of a remote administration tool.
– The PowerShell script automatically connects to MuddyC2Go server, allowing for post-exploitation activities.
– The full extent of MuddyC2Go’s features is unknown, but it is suspected to generate PowerShell payloads for post-exploitation activities.
– Close monitoring of PowerShell activity is recommended, and disabling it if not needed.
Please let me know if you need any further information or if there is anything else I can assist you with.