Keypoints
- MuddyWater is using a previously unreported Go-based C2 framework called MuddyC2Go, observed since 2020.
- Initial access commonly via spear-phishing with password-protected archives containing executables generated by PowerGUI.
- Delivered executables embed PowerShell scripts that automatically connect to MuddyC2Go C2 servers (e.g., 45.150.64[.]239, 162.223.89[.]11, 94.131.109[.]65).
- C2 communications use web protocols, dynamic DNS (e.g., microsoftfice.ddns[.]net, ghostrider.serveirc[.]com), and return PowerShell payloads that poll every 10 seconds for operator commands.
- Deep Instinct linked multiple IPs and unique URL patterns to MuddyC2Go, and noted hosting on a VPS provider referred to as “Stark Industries.”
- PowerShell remains the primary execution mechanism; recommendation is to disable or closely monitor PowerShell where possible.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivery via spear-phishing with archives: ‘spear-phishing emails containing archives or links to archives that include various legitimate remote administration tools.’
- [T1027] Obfuscated Files or Information – Use of password-protected archives to evade scanning: ‘The archives are now password protected. This is done to evade email security solutions that scan files inside archives without a password.’
- [T1105] Ingress Tool Transfer – Transfer/delivery of executables built with a packaging tool: ‘executables created with PowerGUI. The executables have been spread via password-protected RAR archives.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – Execution of embedded PowerShell that contacts C2: ‘it runs a PowerShell script which connects to a MuddyC2Go server located at the IP address 45.150.64[.]239.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 over HTTP(S)/web with dynamic DNS fallback: ‘communication is switched to dynamic DNS using the address “microsoftfice.ddns[.]net”’
- [T1033] System Owner/User Discovery (periodic polling) – Agent polls C2 for commands: ‘The response from the C2 is again a PowerShell script that runs every 10 seconds and waits for commands from the operator using the C2:’
Indicators of Compromise
- [IP Address] MuddyC2Go servers and observed C2s – 45.150.64[.]239, 162.223.89[.]11, and other hosts (e.g., 94.131.109[.]65, 137.74.131[.]18).
- [Domain] Dynamic DNS / C2 domains – microsoftfice.ddns[.]net, ghostrider.serveirc[.]com.
- [File Name] Delivered artifacts – offtec.exe, ssf.zip (mentioned in scans) and password-protected archives like KorekPro.rar.
- [MD5] Example hashes of PowerShell responses and artifacts – db0e68d7d81f5c21e6e458445fd6e34b (offtec.exe), feede05ba166a3c8668fe580a3399d8f (Performance.rar), and many other hashes (20+ additional hashes listed in original).
Deep technical summary:
MuddyWater has shifted to a Go-based server-side C2 framework (MuddyC2Go) that serves PowerShell payloads. Initial access observed in recent campaigns uses spear-phishing archives (now password-protected to evade scanners) containing executables built with PowerGUI; those executables embed a PowerShell script that autonomously connects to a MuddyC2Go server (examples observed: 45.150.64[.]239, 162.223.89[.]11) and then often switch communications to dynamic DNS hostnames such as microsoftfice.ddns[.]net or ghostrider.serveirc[.]com.
Once connected, the C2 returns PowerShell code that executes on the endpoint, polling on a short interval (observed every 10 seconds) to receive operator commands. The framework behaves like a generic Go web application (identified by a ‘web.go’ header) and generates unique URL patterns that enabled retrospective linkage to MuddyC2Go servers dating back to 2020; ancillary tools like SSF have also been observed in related chains.
Detection and response should focus on blocking/monitoring known C2 IPs/domains, detecting PowerGUI-created executables and embedded PowerShell activity, scanning for password-protected archive deliveries in email, and restricting or closely monitoring PowerShell execution (or disabling it where not required).