Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group

A previously unseen command-and-control (C2) framework called PhonyC2 has been attributed to the Iranian state-sponsored group MuddyWater. 

The custom-made, and continuously developing PhonyC2 was used by the threat actor to exploit the log4j vulnerability in the Israeli SysAid software, the attack against Technion, an Israeli institution, and the ongoing attack against the PaperCut print management software, according to a report by Deep Instinct. 

"At the beginning of May 2023, Microsoft's Twitter post mentioned they had observed MuddyWater exploiting CVE-2023-27350 in the PaperCut print management software," Deep Instinct said in its report, adding that while Microsoft did not share any new indicators, they noted that MuddyWater was using tools from prior intrusions to connect to their C2 infrastructure and referenced their blog on the Technion hack, which the researchers already established was using PhonyC2.

"About the same time, Sophos published indicators from various PaperCut intrusions they have seen. Deep Instinct found that two IP addresses from those intrusions are PhonyC2 servers based on URL patterns," Deep Instinct said. 

MuddyWater has been active since 2017 and is generally believed to be a subordinate unit within Iran's Ministry of Intelligence and Security. Its top targets include Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage activities and intellectual property (IP) theft attacks; on some occasions, they have deployed ransomware on targets.

Custom-made PhonyC2

Three malicious PowerShell scripts that were a part of the archive of PhonyC2_v6.zip were identified in April by Deep Instinct.

"The filename piqued our interest and we set out to discover if it was a known C2 framework. After a quick investigation, it was revealed that the C2 framework was found by Sicehice in a server with an open directory listing," Deep Instinct said in the report. 

Sicehice is an organization that automates the collection of cyberthreat intelligence from over 30 sources and enables users to search against the collected IPs.

The PhonyC2 written in Python3 has been active since 2021. It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework written in Python 2.

"This C2 is a post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'Intrusion Kill Chain'," Deep Instinct said.

Attributing PhonyC2 to MuddyWater

Analysis of the code showed that it used Ligolo, tunneling tool-bore, and open source tool FRP, all of which have been previously used by MuddyWater.  

Additionally, it had IP addresses that the threat actor used. Both addresses are mentioned as C2 servers in the report Microsoft published about their findings from the Technion attack, which they attributed to MuddyWater. 

"The combination of the presence of known MuddyWater tools on the server and the fact that the threat actor communicated with two IP addresses known to be used by MuddyWater raised suspicion that PhonyC2 is a framework used by MuddyWater," Deep Instinct, warning that MuddyWater is continuously updating the C2 and changing TTPs to avoid detection.

In April, Microsoft detected destructive operations enabled by MuddyWater in both on-premises and cloud environments. Previous attacks by MuddyWater mainly impacted on-premises environments. However, in this case, Microsoft found the destruction of cloud resources as well.