Security researchers at Trend Micro found proof of malicious activity by ‘MuddyWater’ automatically programmed tool (APT) that has aimed at Middle East organizations by utilizing the ScreenConnect remote management tool.
Security analysts at Trend Micro have dubbed ‘Earth Vetala’ the recently detected campaign. However, the latest finding expands on previous research published by Anomali last month. MuddyWater is an Iranian hacking group known for its offensives primarily against Middle Eastern nations.
Key findings from this investigation
The details discovered by security researchers are listed below:
• The campaign is currently stealing all the credentials from browsers like Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook.
• The campaign is said to have leveraged spear-phishing emails containing embedded links to an authorized file-sharing service.
• The goal of this campaign is to spread all the malicious packages that generally carry remote tools (ScreenConnect and RemoteUtilities) to manage all the enterprise systems remotely.
Security researchers have discovered a spear phishing email supposedly from a government agency. However, these emails direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes.
Earth Vetala has been appropriating the post-exploitation that involves password/process- dumping tools, and customer backdoors. The threat actors have been perceived as instating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts.
Security researchers at Trend Micro said the targets of the new wave of attacks are mainly organizations located in countries including Bahrain, Israel, Azerbaijan, Saudi Arabia, and the United Arab Emirates
In one particular instance involving a compromised host in Saudi Arabia, the researchers discovered that the adversary tried to unsuccessfully configure SharpChisel – a C# wrapper for a TCP/UDP tunneling tool called chisel – for C2 communications, before installing a remote access tool, a credential stealer, and a PowerShell backdoor capable of implementing arbitrary remote commands.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.