April 12, 2024 at 06:15AM
MuddyWater, an Iranian threat actor, has been linked to a new command-and-control (C2) infrastructure called DarkBeatC2. This comes after the deployment of various legitimate Remote Monitoring and Management (RMM) solutions in spear-phishing attacks. Additionally, Iranian threat actor Peach Sandstorm has been seen using a backdoor called FalseFont in attacks targeting the aerospace and defense sectors.
In the meeting, it was discussed that the Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2. This is the latest tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. MuddyWater is also known by other names such as Boggy Serpens, Mango Sandstorm, and TA450 and has been active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.
Further findings by Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.
The latest attack campaign, detailed in the meeting, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software. There is a strong indication that the email account associated with Kinneret, an educational institution in Israel, may have been used to distribute the links, giving the messages an illusion of trust and tricking the recipients into clicking them.
It’s important to note that Lord Nemesis, a private contracting company called Najee Technology, a subgroup within Mint Sandstorm backed by Iran’s Islamic Revolutionary Guard Corps (IRGC) and sanctioned by the U.S. Treasury in September 2022, is suspected of being involved. The interconnectedness of these entities suggests a potential hand-off or collaboration between IRGC and MOIS to inflict harm on Israeli organizations and individuals.
The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2. MuddyWater has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain. The threat actor has been observed establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework.
The meeting also discussed that MuddyWater targets defense sectors with a backdoor called FalseFont, which is used in attacks targeting the aerospace and defense sectors. The backdoor, described as “highly targeted”, mimics legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format. The backdoor also has the capability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.
Overall, the meeting discussions highlighted the evolving tactics and persistent threat posed by MuddyWater and related threat activity clusters, especially in their attacks on Israeli entities and the defense sector with sophisticated backdoors like FalseFont.