Phonyc2

Malware updated 4 months ago (2024-05-04T19:56:31.118Z)

Download STIX

Preview STIX

PhonyC2 is a malware, specifically a command-and-control framework, that has been used by the Iranian-based cyber-espionage group MuddyWater since at least 2021. This software was designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it could steal personal information, disrupt operations, or hold data for ransom. The Deep Instinct Threat Lab published a technical deep dive into PhonyC2 after observing its use in an attack on the Israeli research institute Technion. It's noteworthy that PhonyC2 is considered a successor to MuddyC3 and POWERSTATS. The source code of PhonyC2 was leaked in early 2023, leading to a shift in MuddyWater's tactics. In response, the group developed a new command-and-control framework named MuddyC2Go, written in Go language. This new framework replaced the previous PhonyC2 infrastructure, demonstrating the continued evolution of MuddyWater's cyber capabilities. Notably, MuddyC2Go contains an embedded PowerShell script that automatically connects to Seedworm’s command-and-control server, eliminating the need for manual execution by an operator and providing the attackers with remote access to victim machines. In November 2023, MuddyWater launched attacks against Israel using the novel MuddyC2Go framework. These attacks marked the first known use of MuddyC2Go, replacing the exposed PhonyC2 platform. Despite the full capabilities of MuddyC2Go not being entirely known, its deployment represents a significant advancement in Iran's malicious cyber capabilities. Further investigation and monitoring of these evolving threats are necessary to better understand their potential impact and to develop effective countermeasures.

Description last updated: 2024-05-04T19:42:14.951Z

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Phonyc2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber security week in review: June 30, 2023
CERT-EU	10 months ago	MuddyWater eN-Able spear-phishing with new TTPs \| Deep Instinct Blog
CERT-EU	a year ago	Signs of MuddyWater Developments Found in the DNS
CERT-EU	9 months ago	Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
CERT-EU	10 months ago	Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
Checkpoint	a year ago	3rd July – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Ransomware, state-sponsored attacks, AI-powered cyber threats surged in H1 2023
CERT-EU	10 months ago	Israel subjected to Charming Kitten attacks
CERT-EU	10 months ago	Ukraine's power grid targeted by Sandworm hackers last year
CERT-EU	a year ago	From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon – GIXtools