https://bit.ly/3SDOVXl - 🕵️ Deep Instinct's Threat Research team has uncovered a new Command and Control (C2) framework, dubbed MuddyC2Go, believed to be used by the Iranian APT group MuddyWater. This C2 framework, written in Go, has possibly been active since 2020, replacing the group's earlier framework, PhonyC2. The discovery of MuddyC2Go highlights the evolving tactics of cyber threat actors. #MuddyC2Go #CyberSecurity #APT #IranianCyberThreats 🔍 The shift from PhonyC2 to MuddyC2Go was identified through anomalies in IP addresses previously associated with MuddyWater, revealing new behaviors and tactics. Deep Instinct's findings suggest a strategic evolution in MuddyWater's operations, highlighting the need for continuous monitoring and analysis of cyber threat actors' methodologies. #CyberThreatIntelligence #DeepInstinct #CyberAttackTrends 💻 Recent MuddyWater activities using MuddyC2Go involve spear-phishing emails with password-protected archives containing executables. These executables run embedded PowerShell scripts that connect to MuddyC2Go servers, indicating a move towards more sophisticated and automated attack methods. #SpearPhishing #Malware #CyberDefense 🌍 Deep Instinct's research has linked attacks using MuddyC2Go to various geographic locations, including a Jordanian company, an Iraqi telecommunications provider, and potential targets in Israel during the recent conflict. This geographical spread underscores the global reach and potential impact of MuddyWater's cyber operations. #GlobalCyberThreats #InfoSec #GeopoliticalCyberRisks 📡 In their investigation, Deep Instinct traced the MuddyC2Go framework back to 2020 and identified multiple IP addresses linked to MuddyWater's operations. These findings are supported by reports from other security firms, further validating the ongoing and evolving threat posed by this APT group. #CyberThreatResearch #IPAnalysis #CyberSecurityAwareness 🔗 The MuddyC2Go framework is challenging to fingerprint due to its generic appearance, similar to other web applications written in Go. However, unique URL patterns generated by the framework have helped Deep Instinct identify past attacks. This demonstrates the importance of detailed analysis in cybersecurity threat identification. #CyberForensics #ThreatHunting #CyberAnalysis 🛡️ Deep Instinct recommends disabling PowerShell if it's not needed or closely monitoring its activity if enabled, as PowerShell is a key component of MuddyWater's operations. The team's ongoing research and monitoring of MuddyC2Go servers provide vital insights for the cybersecurity community in combatting such threats.

#cyberanalysis #namesandmeanings #ejramirez #bravestar #heartspower #passionismyaction #eternalonenessoflife #wisdomiseternaltruth

Ergo Proxy: psychopunk and cyberanalysis

https://bit.ly/3SlAjfj - 🔍 StripedFly Infection: A shellcode was identified in the WININIT.EXE process, capable of downloading files from bitbucket[.]org and executing PowerShell scripts. The infection's origin was a SMBv1 exploit reminiscent of EternalBlue. After infecting, it propagated within networks using the exploit and SSH protocol, leveraging the keys found on the infected machine. #CyberSecurity #MalwareDetection 🔄 Persistence Methods: The malware adjusts its behavior based on the presence of PowerShell and access rights. If absent, a hidden file is generated in %APPDATA%. Otherwise, its actions vary, establishing persistence in Windows or Linux in multiple ways. #DigitalThreat #MalwarePersistence 📂 Bitbucket Repository: Stored on bitbucket[.]org, the repository was created in June 2018 by Julie Heilman. This repository contained various files, with system.img being a primary infection tool for Windows. As of September 2023, 60,000 initial infections were reported since April 2023. #CyberAttack #DigitalForensics 🔌 Modules: The malware uses a pluggable module system, a trait of APT malware. It possesses both service and functionality modules, each designed for specific tasks. These range from configuration storage and upgrades to command handling and credential harvesting. #APT #ModularMalware 💻 Functionality Modules: These modules perform a variety of tasks. They can interact with victim file systems, capture data, and even execute commands received from the C2 server. They're also capable of scanning and collecting sensitive information from active users. #DataBreach #CyberEspionage ⛏ Monero Mining: A disguised Monero mining module operates as a chrome.exe process. The process is closely monitored, and statistics are reported to the C2 server. Interestingly, the use of this mining module could be for disguise rather than maximum profit. #CryptoMining #CyberSec ⚡ ThunderCrypt Ransomware: During the analysis, a related ransomware called ThunderCrypt, linked to the same C2 server, was discovered. The ransomware had almost similar functionalities to StripedFly, but its most significant attention came from a failed attempt in Taiwan. #Ransomware #DigitalAttack 🔵 EternalBlue Connection: Parallels were drawn between the infamous EternalBlue exploit and StripedFly's creators. Based on PE timestamps, there's a likely connection between the two, although complete validation remains elusive.