Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel.
“The framework’s web component is written in the Go programming language,” Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.
The tool has been attributed to MuddyWater, an Iranian state-sponsored hacking crew that’s affiliated to the country’s Ministry of Intelligence and Security (MOIS).
The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked.
Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lead to the deployment of legitimate remote administration tools.
The installation of the remote administration software paves the way for the delivery of additional payloads, including PhonyC2.
MuddyWater’s modus operandi has since received a facelift, using password-protected archives to evade email security solutions and distributing an executable instead of a remote administration tool.
“This executable contains an embedded PowerShell script that automatically connects to MuddyWater’s C2, eliminating the need for manual execution by the operator,” Kenin explained.
The MuddyC2Go server, in return, sends a PowerShell script, which runs every 10 seconds and waits for further commands from the operator.
While the full extent of MuddyC2Go’s features are unknown, it’s suspected to be a framework that’s responsible for generating PowerShell payloads in order to conduct post-exploitation activities.
“We recommend disabling PowerShell if it is not needed,” Kenin said. “If it is enabled, we recommend close monitoring of PowerShell activity.”