Novel C2 tool leveraged in latest MuddyWater attacks

Iranian state-backed threat operation MuddyWater, also known as TA450, Mango Sandstorm, and Boggy Sandstorm, leveraged the novel DarkBeatC2 command-and-control infrastructure tool as part of its latest attack campaign, The Hacker News reports.

Intrusions involved the usage of a compromised email account belonging to Israeli educational institution Kinneratacil to deliver spearphishing emails that contained Egnyte-hosted attachments that deploy the Atera Agent software, according to a report from Deep Instinct.

Kinneratacil was breached following an attack by Lord Nemesis, also known as TunnelVision and Nemesis Kitten, against third-party provider Rashim, indicating that other Rashim customers could have also been subjected to a similar campaign. Meanwhile, DarkBeatC2 had been used by MuddyWater for infected endpoint management, with a C2 connection created to enable further PowerShell script retrieval.

"While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater's methods remain constant," said researcher Simon Kenin.

Such a development follows a report from Palo Alto Networks Unit 42 detailing aerospace and defense-targeted attacks by Iranian state-sponsored group APT33, also known as Peach Sandstorm, Elfin, Refined Kitten, and Curious Serpens, distributing the FalseFont backdoor.