A recent espionage campaign has been observed targeting organizations in the Middle East and neighboring regions. It shares the same target interest as the MuddyWater hacking group, suggests Trend Micro.
What was discovered?
The campaign, dubbed Earth Vetala, is operating in the government, academia, and tourism sectors in the UAE, Saudi Arabia, Israel, and Azerbaijan. The countries in the broader Middle East are believed to be the prime targets of this campaign.
- The campaign is actively stealing credentials from browsers such as Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook.
- The campaign has been using spear-phishing emails or lures documents with embedded links to a legitimate file-sharing service.
- Its main aim is to distribute a malicious package containing ScreenConnect and RemoteUtilities tools to manage enterprise systems remotely.
Besides similarity in targets, researchers noted that the Muddywater group campaigns and this attack campaign also had a resemblance in the strategies and techniques used for distributing RemoteUtilities and ScreenConnect.
Tactics, Techniques, and Procedures
Attackers have used several known tools and techniques for their operation.
- The campaign has been utilizing post-exploitation tools that include password/process-dumping tools, reverse-tunneling tools, and custom backdoors.
- The threat actors have been observed initiating communications with additional C2 infrastructure to execute obfuscated PowerShell scripts.
Earth Vetala has also been linked to Anomali-identified activity in February.
- The current attacks show some similarities with the February campaign, however at that time, MuddyWater had shown higher levels of technical skill.
- In the recent campaign, the hackers seem to lack the expertise to use all of the available tools correctly.
Although the recent attacks lack the earlier expertise displayed by the group, with full utilization of available tools and utilities, the MuddyWater group can cause more harm in the future. MuddyWater group has been long known for using spearphishing to target its victims. Therefore, experts recommend staying alert and using anti-spam and anti-phishing solutions to stay protected from such threats.