Attacks by Iranian state-backed threat group MuddyWater, also known as Mango Sandstorm and Mercury, against Israeli research institute Technion, as well as PaperCut servers have involved the utilization of the PhonyC2 post-exploitation command-and-control framework, according to The Hacker News.
While PhonyC2 had similarities with MuddyWater's previous MuddyC3 framework, attackers have implemented continuous updates to the new framework and its tactics, techniques, and procedures, a report from Deep Instinct revealed. Attackers have used PhonyC2 to "generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain,'" said researcher Simon Kenin. However, initial access to compromised machines is crucial for the execution of the PowerShell payloads, noted Deep Instinct Threat Research Team Leader Mark Vaitzman. "Some of the generated payloads connect back to the operator C2 to allow persistence," added Vaitzman, who also cited MuddyWater's use of other C2 frameworks in attacks.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.