A previously unseen command-and-control (C2) framework called PhonyC2 has been attributed to the Iranian state-sponsored group MuddyWater. \n\nThe custom-made, and continuously developing PhonyC2 was used by the threat actor to exploit the log4j vulnerability in the Israeli SysAid software, the attack against Technion, an Israeli institution, and the ongoing attack against the PaperCut print management software, according to a report by Deep Instinct. \n\n\u201cAt the beginning of May 2023, Microsoft\u2019s Twitter post mentioned they had observed MuddyWater exploiting CVE-2023-27350 in the PaperCut print management software,\u201d Deep Instinct said in its report, adding that while Microsoft did not share any new indicators, they noted that MuddyWater was using tools from prior intrusions to connect to their C2 infrastructure and referenced their blog on the Technion hack, which the researchers already established was using PhonyC2.\n\n\u201cAbout the same time, Sophos published indicators from various PaperCut intrusions they have seen. Deep Instinct found that two IP addresses from those intrusions are PhonyC2 servers based on URL patterns,\u201d Deep Instinct said. \n\nMuddyWater has been active since 2017 and is generally believed to be a subordinate unit within Iran\u2019s Ministry of Intelligence and Security. Its top targets include Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage activities and intellectual property (IP) theft attacks; on some occasions, they have deployed ransomware on targets.\u00a0\n\nCustom-made PhonyC2\n\nThree malicious PowerShell scripts that were a part of the archive of PhonyC2_v6.zip were identified in April by Deep Instinct.\n\n\u201cThe filename piqued our interest and we set out to discover if it was a known C2 framework. After a quick investigation, it was revealed that the C2 framework was found by Sicehice in a server with an open directory listing,\u201d Deep Instinct said in the report. \n\nSicehice is an organization that automates the collection of cyberthreat intelligence from over 30 sources and enables users to search against the collected IPs.\n\nThe PhonyC2 written in Python3 has been active since 2021. It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework written in Python 2.\n\n\u201cThis C2 is a post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the \u2018Intrusion Kill Chain\u2019,\u201d Deep Instinct said.\u00a0\n\nAttributing PhonyC2 to MuddyWater\n\nAnalysis of the code showed that it used Ligolo, tunneling tool-bore, and open source tool FRP, all of which have been previously used by MuddyWater. \n\nAdditionally, it had IP addresses that the threat actor used. Both addresses are mentioned as C2 servers in the report Microsoft published about their findings from the Technion attack, which they attributed to MuddyWater. \n\n\u201cThe combination of the presence of known MuddyWater tools on the server and the fact that the threat actor communicated with two IP addresses known to be used by MuddyWater raised suspicion that PhonyC2 is a framework used by MuddyWater,\u201d Deep Instinct, warning that MuddyWater is continuously updating the C2 and changing TTPs to avoid detection. \n\nIn April, Microsoft detected destructive operations enabled by MuddyWater in both on-premises and cloud environments. Previous attacks by MuddyWater mainly impacted on-premises environments. However, in this case, Microsoft found the destruction of cloud resources as well.