MuddyWater attacks against Israel involve novel C2 framework

Attacks deployed by Iranian state-backed threat operation MuddyWater against Israel saw the utilization of the new MuddyC2Go command-and-control framework, which replaced the PhonyC2 custom platform following the exposure of its source code, reports The Hacker News. While MuddyWater continues to commence intrusions with spearphishing emails, the group has transitioned to using password-protected archives for deploying an executable, rather than a remote administration tool, which included a PowerShell script enabling automated linking to the MuddyC2Go server, according to a Deep Instinct report. Such a process, which makes manual operator execution unnecessary, is then followed by MuddyC2Go delivery of a PowerShell script before waiting for additional commands, said researcher Simon Kenin. The findings suggest that MuddyC2Go may be used for issuing PowerShell payloads to facilitate further system compromise. "We recommend disabling PowerShell if it is not needed. If it is enabled, we recommend close monitoring of PowerShell activity," Kenin added.