MuddyWater's DarkBeatC2 infrastructure plays a crucial role in managing infected endpoints, utilizing PowerShell code to establish contact with the C2 server after gaining initial access. The group employs various techniques, including abusing the Windows Registry's AutodialDLL function and DLL side-loading to establish persistence and execute malicious payloads. These methods are observed in cyber attacks targeting entities in the Middle East, indicating the threat actor's continued activity in the region.

In addition to MuddyWater, another Iranian threat actor known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) has been identified using a backdoor called FalseFont in attacks against the aerospace and defense sectors. FalseFont masquerades as legitimate human resources software, tricking victims into installing the backdoor through a fake job recruitment process. Once installed, FalseFont captures credentials and system metadata, allowing threat actors to execute commands and gather sensitive information.

The emergence of new tools and techniques used by Iranian threat actors underscores the evolving nature of cyber threats and the need for robust cybersecurity measures. Organizations must remain vigilant against spear-phishing attacks and regularly update their security protocols to defend against sophisticated adversaries like MuddyWater and Peach Sandstorm. Collaboration between security researchers and industry partners is essential to uncovering and mitigating emerging cyber threats effectively.

Impact

• Unauthorized Access
• Credential Theft
• Command Execution
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• websiteapicloud.com
• googlelinks.net
• googlevalues.com
• google-word.com
• webapicloud.com
• security-onedrive.com
• webftpcloud.com
• websiteftpcloud.com
• softwaree-cloud.com
• domainsoftcloud.com
• microsoft-corp.com
• asure-onlinee.com
• googleonlinee.com

MD5

• 353b4643ec51ecff7206175d930b0713
• 3dd1f91f89dc70e90f7bc001ed50c9e7
• bede9522ff7d2bf7daff04392659b8a8
• 32bfe46efceae5813b75b40852fde3c2
• b7d15723d7ef47497c6efb270065ed84

SHA-256

• 60c387d9d52c98de5c5d8453f64a6541ec4db645f6709d1fe51903182943438c
• d7588487206137cbdc95d990bc5266af6a0538653862665534c14bb8f56b76c6
• c7e525b8125265b507e3fb9b8f0b7d9b93de574ad31b272ccf1e82e9b73ec721
• 536b0427ac9c74704594f0c406ccc303f6e04f0e68f24522b31cfe6543e44449
• aef4d98dcdeda987e6f49c5e8be47385f750d24176619851ad38534f26ad5267

SHA-1

• a6e728c3331f46763f643f7192959716034767e5
• a173803357133cc5d61b8b31825b2938808e7850
• b9a01912e0f91d6040c934c68f4c708d4611fa0d
• a63c56b6e7ca1d11e52a786a6ada658bad4f0cf2
• 9662c1912d21a29eb02c92936e57681ce0d5fc0f

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.