Posted on March 9, 2021 at 1:20 PM
In another dramatic twist, a hacking group with suspected ties with Iran has started a new espionage campaign, actively targeting the Middle East and neighboring regions. The focus for this new campaign is against the government agencies, academia, and tourism entities of these various countries, primarily aiming for data theft.
Earth Vetala Seemingly Connected to MuddyWater
Trend Micro dubbed this latest group Earth Vetala, with this latest finding expanding on previous research that Anomali had done just last month. Back then, Anomali had concluded that there was evidence attributing a level of malicious activity leveled against the government agencies of Kuwait and the UAE. Back then, it was done by way of exploiting the ScreenConnect management tool
In that case, MuddyWater was linked to the malicious actions, at least with “moderate” confidence. MuddyWater stands as a hacker group based in Iran, and is quite well known for the various offensives it’s thrown at the Middle East’s nations. The threat actor is known by numerous names, as well, going by Static Kitten, or MERCURY on top of MuddyWater.
The Fundamentals Of the Campaign
Now, Earth Vetala, as it was explained, primarily leveraged spear-phishing campaigns, that is targeting phishing emails, that held various embedded links to OneHub, a popular file-sharing service.
This service was used by the malicious actors to distribute a few nasty bits of malware, which ranged from custom backdoors to password dumps. Afterward, communications would be initiated with the command-and-control (C2) servers in order to execute various obfuscated PowerShell scripts.
Now, the actual links redirect users to a .ZIP file, which itself contains a very legitimate remote administration software that was developed by RemoteUtilities. This software is capable of everything you’d expect from it: Browsing directories and files, uploading and downloading files, executing and terminating processes, as well as capturing various screenshots.
Some Strange Lack Of Technical Prowess
Now, Trend Micro did highlight the eerie similarities between this campaign and the one enacted by MuddyWater. The software may have changed from ScreenConnect to RemoteUtilities, but the techniques and tactics to distribute this software remain fairly similar. Now, this latest attack, as stated by Trend Micro, primarily targeted Bahrain, Azerbaijan, Saudi Arabia, Israel, and the UAE.
Now, what’s interesting is something seems a bit off about this new Earth Vetala group. One of the more notable events was that the threat actors tried to configure a SharpChisel within one of the compromised hosts within Saudi Arabia.
The threat actors tried to implement a C# wrapper for a TCP/UDP tunneling tool by the name of Chisel, primarily for C2 communications. After failing at that, the group downloaded a credential stealer, a remote access tool, as well as a PowerShell backdoor that allowed for arbitrary remote command execution
Trend Micro explained that Earth Vetala stands as a very strange, interesting threat. The main problem surrounding the group is its tactics and general MO seems to be that of MuddyWater, but it also looks like the threat actors within the group itself aren’t really that versed in the various pieces of expertise needed in these kinds of operations, not really knowing how to properly use the hacking tools at their disposal. This is especially strange once you realize that other attacks have shown considerably higher levels of technical skill
A possibility about this is maybe this is some sort of new group of members within MuddyWater as a whole, tasked with taking on an operation to test their mettle. Of course, this is pure speculation.
Another important warning, to any readers of significant position within the affected countries, is that the Earth Vetala spearphishing campaign is still very much ongoing. It’s urged that users in general be incredibly careful with any email sent, even if they seem legitimate.
Don’t click on any attached file or link within an email you do not absolutely trust, and always believe in malicious intentions when you read something that sounds too good to be true: It almost always is
Time will tell how this new hacking campaign will play out, but at this time it’s just one of the many going on. In more amusing news, the US government has made plans to enact secret and clandestine operations against Russia in retaliation for the China hack. The entire world is now intimately aware of this thanks to the Biden administration announcing it publicly for the world to see.