MuddyWater’s New Tool: Threat to Global Supply Chains

Recently, details emerged about a new cyberattack tool developed by the Iranian hacker group MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450. Affiliated with Iran’s Ministry of Intelligence and Security, this cybercriminal group recently integrated a new command and control infrastructure, “DarkBeatC2,” into its operations, marking the latest addition to the hackers’ arsenal following tools like SimpleHarm and MuddyC2Go.

According to Simon Kenin, a researcher at Deep Instinct, despite periodic changes in remote administration tools and control frameworks, MuddyWater’s methodologies remain consistent.

Since 2017, the group has actively employed specially crafted phishing attacks to deploy various remote monitoring and management solutions on compromised systems. The operations of the group have led to severe consequences, including destructive attacks on Israeli targets conducted by other Iran-associated cybercriminal groups.

One of the latest malicious campaigns identified by researchers involves a phishing email distribution with malicious URLs. In this attack, the hackers used a compromised account associated with an Israeli educational institution, creating an illusion of legitimacy and trustworthiness in the sender.

In addition to using the new DarkBeatC2 domain, the group has begun employing sophisticated methods to manage infected systems, including PowerShell scripts and mechanisms for loading malicious libraries through the system registry.

Researchers from Palo Alto Networks noted that to establish persistence in the system, MuddyWater uses tasks in the Windows scheduler, and through DLL Sideloading, the malware is directly executed, subsequently connecting to the DarkBeatC2 domain.

It was also revealed late last month that MuddyWater actively uses legitimate software on compromised hosts instead of malware to delay detection after penetrating a target network.

Despite continual changes in tactics and tools, cybercriminal groups like MuddyWater continue to pose significant threats to the security of hundreds of organizations. Awareness and vigilance among employees, along with continuous enhancement of defense methods, can serve as an effective barrier against cybercriminals.