Iranian State-Linked Hackers Employ MuddyC2Go in Cyber Espionage Targeting Across Africa in Telecommunications

By Sharique

The Iranian state-affiliated group known as MuddyWater has utilized a recently identified command-and-control framework named MuddyC2Go in targeting the telecommunications sector in Egypt, Sudan, and Tanzania. Tracked by Symantec under the alias Seedworm, this cyber espionage group, associated with Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2017.

MuddyC2Go, described as a Golang-based replacement for PhonyC2, has been employed in attacks as early as 2020. While the complete capabilities of MuddyC2Go are not fully known, it includes a PowerShell script that automatically connects to Seedworm’s C2 server, providing remote access to the victim system without manual execution.

In the November 2023 intrusions, the group used SimpleHelp and Venom Proxy, along with a custom keylogger and publicly available tools. The attack chains typically involve weaponizing phishing emails and exploiting known vulnerabilities for initial access, followed by reconnaissance, lateral movement, and data collection.

Symantec’s documentation of attacks on an unnamed telecommunications organization revealed the use of the MuddyC2Go launcher to establish contact with an actor-controlled server. Legitimate remote access software such as AnyDesk and SimpleHelp was also deployed. The group, known for innovation, utilizes a combination of customized, living-off-the-land, and publicly available tools to evade detection and meet its strategic objectives.

In a separate development, an Israel-linked group called Gonjeshke Darande claimed responsibility for a cyber attack disrupting gas pumps in Iran. Reemerging in October 2023 after a year of silence, the group is associated with the Israeli Military Intelligence Directorate and has conducted destructive attacks in Iran.

The cyber assault coincides with an advisory from the Israel National Cyber Directorate accusing Iran and Hezbollah of attempting to disrupt Ziv Hospital. The attack, attributed to threat actors named Agrius and Lebanese Cedar, allegedly involved the Iranian Ministry of Intelligence and Hezbollah’s ‘Lebanese Cedar’ cyber units under the leadership of Mohammad Ali Merhi.

Leave a Comment