伊朗黑客利用MuddyC2Go在非洲实施电信间谍攻击

The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.

伊朗国家行为者MuddyWater利用了一种新发现的命令与控制（C2）框架MuddyC2Go对埃及、苏丹和坦桑尼亚的电信部门进行攻击。

The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.

赛门韦特威尔·商业部的威胁猎人团队正在以Seedworm的名义跟踪这一活动，也被称为Boggy Serpens、Cobalt Ulster、地球Vetala、ITG17、Mango Sandstorm（前身为Mercury）、Static Kitten、TEMP.Zagros和Yellow Nix。

Active since at least 2017, MuddyWater is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.

伊朗的网络间谍集团MuddyWater自2017年以来一直与伊朗的情报和安全部门（MOIS）有关，主要以中东的实体为目标。

The cyber espionage group's use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.

该网络间谍团体对MuddyC2Go的使用首次由Deep Instinct在上个月进行了突出，将它描述为一个基于Golang的替代物：PhonyC2的继任者MuddyC3。然而，有证据表明它可能早在2020年就被使用了。

While the full extent of MuddyC2Go's capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm's C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.

尽管MuddyC2Go的全部能力尚不清楚，但该可执行文件上配备有一个PowerShell脚本，可自动连接到Seedworm的C2服务器，从而给攻击者远程访问受害者系统，并消除了操作员手动执行的需求。

The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.

2023年11月发生的最新一系列入侵行为还发现依赖于SimpleHelp和Venom Proxy，以及一个定制的键盘记录器和其他公开可用的工具。

Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.

该集团的攻击链条曾利用对未经修补的应用程序进行武器化的钓鱼电子邮件和已知漏洞来进行初始访问，然后进行侧向移动和数据收集的侦察。

In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.

在赛门韦特威尔·商业部记录的针对一个不具名电信组织的攻击中，执行了MuddyC2Go启动器以与受控服务器建立联系，同时还部署了诸如AnyDesk和SimpleHelp等合法的远程访问软件。

The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.

据称，该实体在之前的2023年早些时候曾被对手入侵，当时使用了SimpleHelp来启动PowerShell、传递代理软件，并安装了JumpCloud远程访问工具。

"In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure," Symantec noted. "A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity."

"在攻击另一个电信和媒体公司时，多次使用了SimpleHelp来连接到已知的Seedworm基础设施，"赛门韦特威尔指出。"还在该网络上执行了一个Venom Proxy hacktool的自定义版本，以及攻击者在此次活动中使用的新自定义键盘记录器。"

By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.

通过在其攻击链中利用定制、活动-脱机和公开可用的工具的组合，目标是尽可能地规避检测以满足其战略目标，该公司表示。

"The group continues to innovate and develop its toolset when required in order to keep its activity under the radar," Symantec concluded. "The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks."

"该集团在需要时继续创新并发展其工具集，以便使其活动不被察觉，"赛门韦特威尔总结道。"该集团在其网络中仍然大量使用PowerShell和与PowerShell相关的工具和脚本，突显了组织需要警惕其网络中可疑的PowerShell使用。"

The development comes as an Israel-linked group called Gonjeshke Darande (meaning "Predatory Sparrow" in Persian) claimed responsibility for a cyber attack that disrupted a "majority of the gas pumps throughout Iran" in response to the "aggression of the Islamic Republic and its proxies in the region."

随着以色列联络人团体Gonjeshke Darande（意为波斯语中的"掠食性麻雀"）声称对伊朗"在该地区的伊斯兰共和国及其代理人的进攻"做出了反应，导致"伊朗大部分加油站"遭到了破坏的网络攻击，本消息出现。

The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.

这一团体在2023年10月重新出现，此前近一年来一直低调，据信与以色列军事情报总局有关，已在伊朗进行了破坏性的攻击，包括钢铁设施、加油站和该国的铁路网络。

原文始发于微信公众号（知机安全）：伊朗黑客利用MuddyC2Go在非洲实施电信间谍攻击