Symantec reports an espionage campaign targeting the telecommunication sector in Egypt, Sudan and Tanzania. The events have been attributed to the Iranian state-sponsored threat actor Muddywater.
According to the report, investigation of these events revealed a malicious dynamic link library (DLL) consistent with the MuddyC2Go launcher which executes a PowerShell script which, in turn, enables connection to the command-and-control.
Once achieved foothold, the attackers downloaded a large set of hacking tools including Impacket WMIExec, remote access tools such as SimpleHelp and AnyDesk, and Venom, a proxy typically used in penetration testing. Additionally, investigators identified instances of RevSocks being installed on the compromised systems potentially to evade detection of malicious traffic.