Threats Feed|MuddyWater|Last Updated 15/08/2023|AuthorCertfa Radar|Publish Date29/06/2023

MuddyWater Upgrades: The Emergence of PhonyC2 Framework

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Ransomware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

Detected Targets

TypeDescriptionConfidence
CasePaperCut
PaperCut is a print management software that provides a centralized tool for IT managers and system administrators to enable, monitor, and track printing for their organization. PaperCut has been targeted by MuddyWater with abusive purposes.
Verified
CaseTechnion Institute
The Technion – Israel Institute of Technology is a public research university located in Haifa, Israel. It was established in 1912 and is the oldest university in the country. Technion Institute has been targeted by MuddyWater as the main target.
Verified
SectorHigh-Tech
High
SectorHealthcare
High
SectorScientific Research
High
RegionIsrael
Verified

Extracted IOCs

  • 6nc051221a[.]co
  • 6nc051221c[.]co
  • 6nc060821[.]co
  • 6nc110821hdb[.]co
  • 6nc220721[.]co
  • iransos[.]me
  • am1211.iransos[.]me
  • edc1.6nc051221c[.]co
  • kwd1.6nc220721[.]co
  • kwd2.6nc220721[.]co
  • kwd3.6nc220721[.]co
  • nno1.6nc060821[.]co
  • nno3.6nc060821[.]co
  • pru1.6nc110821hdb[.]co
  • pru2.6nc110821hdb[.]co
  • qjk1.6nc051221c[.]co
  • qjk2.6nc051221c[.]co
  • qjk3.6nc051221c[.]co
  • tes2.6nc051221a[.]co
  • 5dd7c5c8dfc1f513fe93aa775cbde6f1
  • 96b6e5682f980866f5f5809dc7a339d7
  • 18fdec81f212359abcd231e1f2614501d7f4ec8f8fbff6a68da4d6a5701bc6f6
  • 1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a
  • 2f14ce9e4e8b1808393ad090289b5fa287269a878bbb406b6930a6c575d1f736
  • 5ca26988b37e8998e803a95e4e7e3102fed16e99353d040a5b22aa7e07438fea
  • 7cb0cc6800772e240a12d1b87f9b7561412f44f01f6bb38829e84acbc8353b9c
  • b38d036bbe2d902724db04123c87aeea663c8ac4c877145ce8610618d8e6571f
  • b4b3c3ee293046e2f670026a253dc39e863037b9474774ead6757fe27b0b63c1
  • dab9ce80731e0c5512012ec97c6f56013c84e327e5697545205d5adcfcdb9d1e
  • 103[.]73.65.129
  • 103[.]73.65.225
  • 103[.]73.65.244
  • 103[.]73.65.246
  • 103[.]73.65.253
  • 137[.]74.131.16
  • 137[.]74.131.18
  • 137[.]74.131.24
  • 137[.]74.131.25
  • 137[.]74.131.30
  • 157[.]90.152.26
  • 157[.]90.153.60
  • 164[.]132.237.67
  • 164[.]132.237.79
  • 178[.]32.30.3
  • 185[.]254.37.173
  • 194[.]61.121.86
  • 195[.]20.17.44
  • 45[.]132.75.101
  • 45[.]159.248.244
  • 45[.]86.230.20
  • 46[.]249.35.243
  • 51[.]255.19.178
  • 65[.]21.183.238
  • 87[.]236.212.22
  • 91[.]121.240.104
  • 91[.]235.234.130
download

Tip: 56 related IOCs (27 IP, 19 domain, 0 URL, 0 email, 10 file hash) to this threat have been found.

Overlaps

UnknownState-Sponsored Cyberattacks Target Israeli Academia and Government Sectors

Source: Israel National Cyber Directorate - March 2024

Detection (one case): 137[.]74.131.18

MuddyWaterMuddyWater's Shift to MuddyC2Go Framework Targets Jordan, Iraq, and Israel

Source: Deep Instinct - November 2023

Detection (two cases): 137[.]74.131.18, qjk2.6nc051221c[.]co

MuddyWaterMuddyWater APT Uses Legitimate Remote Management Tool for Persistence

Source: Group-IB - April 2023

Detection (seven cases): 137[.]74.131.16, 137[.]74.131.18, 137[.]74.131.24, 137[.]74.131.30, 178[.]32.30.3, 51[.]255.19.178, 91[.]121.240.104

MercuryMERCURY and DEV-1084's Destructive Cyber Operations Against Cloud and On-Premises Environments

Source: Microsoft - April 2023

Detection (three cases): 194[.]61.121.86, 45[.]86.230.20, 46[.]249.35.243

MercuryMERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel

Source: Microsoft - August 2022

Detection (one case): 91[.]121.240.104

ENT-11ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

Source: NTT Security - May 2022

Detection (two cases): 164[.]132.237.79, 51[.]255.19.178

MuddyWaterMuddyWater's Strategic Cyber Campaigns Across Turkey, Armenia, and Pakistan

Source: Cisco Talos - March 2022

Detection (one case): 178[.]32.30.3

MuddyWaterMuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

Source: CISA - February 2022

Detection (one case): 87[.]236.212.22

MuddyWaterEvolving Threat: MuddyWater APT's Multi-National Cyber Espionage Activities

Source: Cisco Talos - January 2022

Detection (one case): 137[.]74.131.16

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.