MuddyWater's Campaign Focuses on Telecom Sector in Three African Nations

The Iranian espionage group MuddyWater, also known as Seedworm, has been actively targeting telecommunications companies in Egypt, Sudan, and Tanzania.  Symantec's Threat Hunter team reported that this campaign, occurring in November 2023, represents a significant expansion of MuddyWater's activities beyond their traditional focus in the Middle East. Symantec also suggests that these recent operations may be linked to the ongoing conflict between Israel and Hamas, especially considering Egypt's strategic role in the region.

MuddyWater's attack chain is complex and multifaceted, employing a range of tools including PowerShell, scheduled tasks, WMIExec, SOCKS5 proxy tool - Revsocks, and remote access software like SimpleHelp and AnyDesk. The campaign prominently featured the MuddyC2Go infrastructure, first identified by Deep Instinct in July 2023 during an attack on a Jordan-based organization. Building upon Deep Instinct's findings, Symantec discovered a MuddyC2Go PowerShell launcher, sideloaded through a legitimate Java executable, jabswitch.exe. This launcher represents a shift to a newer command-and-control infrastructure, replacing their earlier PhonyC2 setup.

Evasion techniques employed by the threat group included the use of benign variables at the beginning of their PowerShell code in effort "to bypass detection by security software, as they are unused and not relevant," Symantec reports. The attackers' use of Impacket's WMIExec tool was deduced from specific command patterns observed during the attacks. In addition, MuddyWater utilized Venom Proxy, a publicly available multi-hop proxy tool, and a custom keylogger for their operations. They also leveraged the SimpleHelp remote access tool, which facilitated persistent access to victim machines and enabled execution of commands with administrative privileges.

An earlier attack referenced by Symantec revealed a more extensive range of malicious activities made possible through SimpleHelp. These activities included launching PowerShell, setting up proxy tools, compromising SAM registry hives, gathering drive information via WMI, and downloading various payloads. The use of tools such as AnyDesk, Windows Scripting Files (WSF), SimpleHelp, and Venom Proxy has been consistently associated with MuddyWater, forming a recognized part of their toolset.

The focus on telecommunications entities aligns with MuddyWater's historical interest in cyberespionage, with their tactics reflecting a strategy to remain undetected on networks for extended periods. The use of living-off-the-land and publicly available tools, combined with custom-developed utilities, underscores the group's adaptability and continued innovation in their cyberespionage efforts.