www.deepinstinct.com Open in urlscan Pro
2a05:d014:58f:6202::64  Public Scan

Form analysis
2 forms found in the DOM

<form __bizdiag="0" __biza="W___"><input type="text" placeholder="Search..." class="st-default-search-input w-56 HeaderSearch_header-search-icon__lPDHK" autocomplete="off" autocorrect="off" autocapitalize="off"></form>

<form __bizdiag="0" __biza="W___">
  <input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>

Text Content

We use cookies and similar technologies to enable essential services and
functionality on our website and to collect data for advertising, analytics and
support purposes. By continuing to use our website, you agree to the use of
cookies as set in our Privacy Policy and Cookie Policy.

Accept


DEEP INSTINCT INCLUDED IN THE 2022 GARTNER® MAGIC QUADRANT™ FOR ENDPOINT
PROTECTION PLATFORMS (EPP)

Learn more
 * Partners
 * Login

 * en

Please enter keyword to search.
 * Products
    * Prevention Platform
    * Prevention for Applications
    * Prevention for Storage
    * Prevention for Endpoints

 * Solutions
    * Data Security
    * Prevent Ransomware
    * Prevent Zero-Day Attacks
    * Improve EPP Efficacy
    * Extend & Enhance EDR
    * Stop Fileless Attacks

 * Why Deep Instinct
    * Deep Learning in Cybersecurity
    * Our Customers
    * + MS Defender
    * VS Traditional Antivirus

 * Resources
    * Asset Library
    * Threat Research
    * Voice Of SecOps
    * Blog
    * Videos
    * Events & Webinars
    * Training

 * Company
    * About Deep Instinct
    * Leadership Team
    * Board of Directors
    * Newsroom
    * Careers
    * Contact Us

 * Request Demo


Back To Blog
NOVEMBER 8, 2023



MUDDYC2GO – LATEST C2 FRAMEWORK USED BY IRANIAN APT MUDDYWATER SPOTTED IN ISRAEL

Simon KeninThreat Intelligence Researcher
Deep Instinct Threat Lab

The contents of this blog post were originally scheduled to be presented during
an upcoming cybersecurity conference. However, interest in this topic has
heightened due to the war in Israel and a suspected ongoing attack against
Israeli targets. As such, we have decided to publish the relevant findings from
the presentation now.

EXECUTIVE SUMMARY:

 * Deep Instinct’s Threat Research team has identified a previously unreported
   C2 framework suspected to be in use by MuddyWater
 * The C2 framework may have been in use by the MuddyWater group since at least
   2020
 * The framework’s web component is written in the Go programming language –
   hence the name we gave it: MuddyC2Go
 * MuddyWater seems to have stopped using PhonyC2 and is now using MuddyC2Go
   instead

BACKGROUND

In June 2023, we published a report about PhonyC2, a custom C2 framework used by
the MuddyWater APT group.

While analyzing previous PhonyC2 infrastructure, Deep Instinct uncovered
anomalies that indicated MuddyWater might be using an additional C2 framework.

At that time, we lacked sufficient evidence to support this claim. However,
after we published our PhonyC2 research, we observed two IP addresses previously
related to MuddyWater, one of those addresses which was hosting PhonyC2 had
switched to a different C2 framework delivering a PowerShell payload.

This behavior heightened suspicions of a new C2 framework. However, without
seeing and observing the initial payload, those IP addresses could have been
internal tests by MuddyWater before fully deploying the C2.

Recently, Deep Instinct observed similar C2 activity on a different cluster of
IP addresses that has not been associated previously with MuddyWater.

This new activity’s initial payload confirmed our assessment that this activity
is related to MuddyWater.

CURRENT MUDDYWATER ACTIVITY USING MUDDYC2GO

Previous research has shown typical MuddyWater TTPs include spear-phishing
emails containing archives or links to archives that include various legitimate
remote administration tools.

If the receiving target opens the file inside the archive, it installs a remote
administration tool that allows the attacker to execute additional tools and
malware, including MuddyWater’s PhonyC2.

Deep Instinct observed the following changes in recent activity:

 * The archives are now password protected. This is done to evade email security
   solutions that scan files inside archives without a password.

 * Instead of using a remote administration tool where an operator executes a
   PowerShell script to connect to MuddyWater’s C2, a new executable is now
   being sent. This executable contains an embedded PowerShell script that
   automatically connects to MuddyWater’s C2, eliminating the need for manual
   execution by the operator.

Let’s examine several examples of this new C2 framework.

JULY 2023 – ATTACK AGAINST JORDANIAN COMPANY

Deep Instinct identified a file named “offtec.exe” which is an executable.
Offtec is also the name of a Jordanian company.

When executed, it runs a PowerShell script which connects to a MuddyC2Go server
located at the IP address 45.150.64[.]239.

The executable was built using PowerGUI from Quest Software. This tool allows
the user to generate an executable that runs an embedded PowerShell script that
is provided by the user.



Figure 1: PowerGUI logo



After communicating with the C2, the communication is switched to dynamic DNS
using the address “microsoftfice.ddns[.]net”

The response from the C2 is again a PowerShell script that runs every 10 seconds
and waits for commands from the operator using the C2:



Figure 2: Part of the PowerShell code sent from the C2



SEPTEMBER 2023 – ATTACKS AGAINST AN IRAQI TELECOMMUNICATIONS PROVIDER

In September, Deep Instinct identified additional variants of executables
created with PowerGUI. The executables have been spread via password-protected
RAR archives.

The archives were uploaded from Iraq and their file name included the word
“Korek.”



Figure 3: KorekPro file on VT



Korek is an Iraqi-Kurdish mobile phone operator. MuddyWater targeted Korek in
2019.

In this attack, the C2 IP addresses and dynamic DNS were different:
ghostrider.serveirc[.]com

OCTOBER 2023 – “SWORDS OF IRON” WAR

While Iranian involvement in the war is still being investigated, on October 11,
the fourth day of the war, Deep Instinct identified a scan of the MuddyC2Go URL
from Israel in VirusTotal.

Because the URL is unique and responded with PowerShell, it likely indicates
there was a recent attack against an Israeli target by MuddyWater. This is also
supported by our recent discovery of another active campaign from MuddyWater
against Israeli targets.

Deep Instinct could not identify an associated PowerGUI executable for this
attack, although there could have been a different initial access vector to the
attack that didn’t rely on social engineering.

The C2 IP address that was used this time is 94.131.109[.]65.

ATTRIBUTION

While investigating the PhonyC2 framework (written in Python) and its
infrastructure, Deep Instinct identified servers responding with a generic
“web.go” header. This header suggests MuddyWater is using a web application
written in the Go programming language.

In 2022, Mandiant reported that MuddyWater wrote malware using Go, showing they
are capable of using this language. However, the malware is “client-side,”
whereas the C2 framework is “server-side.” As such, they are likely unrelated.

Deep Instinct was able to find traces of a Go-based C2 framework used by
MuddyWater dating back to the beginning of 2020.

Deep Instinct identified 162.223.89[.]11 as the first IP address publicly
attributed to MuddyWater using MuddyC2Go.

Both SecureWorks and Talos reported a malicious Excel file
(63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf) in January
and February. When this file is opened, the malicious execution chain eventually
leads to the C2 server 162.223.89[.]11.

In May 2020, this IP address was observed using MuddyC2Go.

The IP address 109.201.140[.]103 has not been previously associated with
MuddyWater. However, multiple scans from January, including one from Egypt,
which aligns with MuddyWater’s interests and timeframe of above reports,
contains unique URLs that are used by MuddyC2Go. Additionally, there is scan for
a file named ssf.zip on this IP. Secure Sockets Funneling (SSF) was mentioned in
the SecureWorks report as a tool used by MuddyWater.

SSF is a tool that has been reported by multiple security vendors to be part of
MuddyWater’s arsenal.

In February 2022, CISA published indicators that signal MuddyWater activity,
including the IP address 164.132.237[.]65.

In March 2022, this address was observed to be a MuddyC2Go server. It was
previously associated with PowGoop.

In April 2022, the IP address 141.95.177[.]130 was observed hosting MuddyC2Go.
Additionally, the passive DNS of this IP resolved to jbf1.nc1310022a[.]biz, a
pattern that was already observed with PhonyC2 servers. A year later, in April
2023, Group-IB associated this IP address to MuddyWater via a specific ETag
header that was used in numerous MuddyWater servers.

In the same report, Group-IB identified an LNK file from October 2022 that was
communicating with the IP address 91.121.240[.]108. The responses from this IP
indicate that it was MuddyC2Go. In addition, the LNK file was inside an archive
named “request-for-service-no10102022.zip” The naming convention is very similar
to the naming convention MuddyWater used in their Syncro campaign.

Both Group-IB and Deep Instinct have linked the IP address 137.74.131[.]18 to
MuddyWater. Deep Instinct initially observed PhonyC2 at this address, and after
our publication, MuddyWater switched to MuddyC2Go on this IP address.
Additionally, the IP address 137.74.131[.]20—which was previously reported by
Group-IB —also started to host MuddyC2Go.

CONCLUSION

Due to the leak of PhonyC2 source code, MuddyWater stopped using the framework
and switched to using a Go-based C2 framework. Since the actual source code of
the new framework is not available, the full capabilities are unknown. However,
based on past leaks and associated known activity, this is another framework
that generates PowerShell payloads that MuddyWater uses in the “Actions on
Objectives” phase in the “Cyber Kill Chain.” PowerShell has always been the
bread and butter of MuddyWater operations.

We recommend disabling PowerShell if it is not needed. If it is enabled, we
recommend close monitoring of PowerShell activity.

While it is not trivial to fingerprint the MuddyC2Go framework, as it looks like
any other generic web application written in Go, Deep Instinct managed to
identify previous attacks dating back to 2020 due to unique URL patterns
generated by the framework.

Currently, Deep Instinct has identified all known active MuddyC2Go servers
hosted at “Stark Industries,” a VPS provider known to host malicious activity.
Deep Instinct identified additional suspected MuddyC2Go servers hosted at Stark
Industries without any malicious activity or known URL pattern.

Additional IOCs and information regarding Iranian Threat Actors can be found in
our Git.

IOCS:

Network



IP Address

Description

91.121.61[.]76

MuddyC2Go (2020)

109.201.140[.]103

MuddyC2Go (2020)

162.223.89[.]11

MuddyC2Go (2020)

164.132.237[.]65

MuddyC2Go (2022)

141.95.177[.]130

MuddyC2Go (2022) – (jbf1.nc1310022a[.]biz)

91.121.240[.]108

MuddyC2Go (2022)

137.74.131[.]18

MuddyC2Go (2023) – (qjk2.6nc051221c[.]co)

137.74.131[.]20

MuddyC2Go (2023)

45.150.64[.]239

MuddyC2Go (2023) – (microsoftfice.ddns[.]net)

95.164.46[.]35

MuddyC2Go (2023) – (ghostrider.serveirc[.]com)

45.67.230[.]91

MuddyC2Go (2023) – (Stark Industries)

94.131.109[.]65

MuddyC2Go (2023) – (Stark Industries)

95.164.46[.]199

MuddyC2Go (2023) – (Stark Industries

185.248.144[.]158

Suspected MuddyC2Go (2023) – (Stark Industries) – (mbcaction.hopto[.]org)

94.131.98[.]14

Suspected MuddyC2Go (2023) – (Stark Industries)

45.150.64[.]23

Suspected MuddyC2Go (2023) – (Stark Industries)

45.150.64[.]39

Suspected MuddyC2Go (2023) – (Stark Industries)

95.164.38[.]99

Suspected MuddyC2Go (2023) – (Stark Industries)



File



MD5

Description

34212eb9e2af84eceb6a8234d28751b6

PowerShell response from 137.74.131[.]18

3c6486dfb691fc6642f1d35bdf247b90

PowerShell response from 137.74.131[.]18

55b99af81610eb65aabea796130a0462

PowerShell response from 137.74.131[.]18

d7ca8f3b5e21ed56abf32ac7cb158a7e

PowerShell response from 137.74.131[.]18

d3a2dee3bb8fcd8e8a0d404e7d1e6efb

PowerShell response from 137.74.131[.]20

4a70b1e4cb57c99502d89cdbbed48343

PowerShell response from 137.74.131[.]20

f08aa714fd59b68924843cbfddac4b15

PowerShell response from 137.74.131[.]20

db0e68d7d81f5c21e6e458445fd6e34b

offtec.exe (C2: 45.150.64[.]239)

dbcc0e9c1c6c1fff790caa0b2ffc2fe5

PowerShell script embedded in offtec.exe

e07adc4ee768126dc7c7339f4cb00120

PowerShell response from 45.150.64[.]239

feede05ba166a3c8668fe580a3399d8f

Performance.rar – Password protected archive

9894b84916f9264d897fe3b4a83bc608

KorekFile.rar – Password protected archive

9957250940377b39e405114f0a2fe84b

Performance/KorekFile.exe (C2: 95.164.46[.]35)

245c3ed373727c21ad9ee862b767e362

PowerShell script embedded in Performance/KorekFile

22971759adf816c6fb43104c0e1d89d6

PowerShell response from 95.164.46[.]35

5e0cc23a6406930a40696594021edb5f

KorekPro.rar – Password protected archive

79a638b2f2cc82bfe137f1d12534cda5

d.exe (C2: 95.164.46[.]35)

fc523904ca6e191eb2fdb254a6225577

PowerShell script embedded in d.exe

b867ec1cef6b1618a21853fb8cafd6e1

PowerShell response from 45.67.230[.]91

57641ce5af4482038c9ea27afcc087ee

PowerShell response from 94.131.109[.]65

fe5f94e5df19d95df26aaf774daad9df

PowerShell response from 95.164.46[.]199



Back To Blog



PRODUCTS

 * Prevention Platform
 * Prevention for Applications
 * Prevention for Storage
 * Prevention for Endpoints


SOLUTIONS

 * Data Security
 * Prevent Ransomware
 * Prevent Zero-Day Attacks
 * Improve EPP Efficacy
 * Extend & Enhance EDR
 * Stop Fileless Attacks


WHY DEEP INSTINCT

 * Deep Learning in Cybersecurity
 * Our Customers
 * + MS Defender
 * VS Traditional Antivirus


COMPANY

 * About Deep Instinct
 * Newsroom
 * Careers
 * Contact Us


RESOURCES

 * Asset Library
 * Blog
 * Videos
 * Training


QUICK LINKS

 * Request Demo
 * Customer Portal
 * Integrations and Compliance

© 2023 Deep Instinct. All rights reserved.

 * Privacy Policy
 * Candidate Privacy Policy
 * Cookie Policy
 * Terms of use

 * 
 * 
 * 
 * 





Close


suggested results