Trend Micro researchers recently detected activity targeting various organizations in the Middle East and neighboring regions. We were tipped off to this activity in part by research from Anomali, which also identified a campaign targeting similar victims. We believe (with moderate confidence) that this newly identified activity is connected to MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm). Additionally, we were able to link the Anomali-identified activity to an ongoing campaign in 2021. This campaign uses the following legitimate remote admin tools such as ScreenConnect and RemotUtilities.
Analysis indicates the Earth Vetala campaign is ongoing and that this threat actor has interests which appear to align with Iran.
Figure 1. Affected countries
Earth Vetala historically targets countries in the Middle East. In this campaign, Earth Vetala threat actors used spearphishing emails and lure documents against organizations within the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. The phishing emails and lure documents contain embedded URLs linking to a legitimate file-sharing service to distribute archives containing the ScreenConnect remote administrator tool. ScreenConnect is a legitimate application that allows systems administrators to manage their enterprise systems remotely.
Our research found threat indicators that were connected to the same campaign identified by Anomali. Analysis indicates that Earth Vetala is still ongoing as of the publishing of this post. During this campaign, threat actors used post-exploitation tools to dump passwords, tunnel their C&C communication using open-source tools, and use additional C&C infrastructure to establish a persistent presence within targeted hosts and environments.
A detailed technical analysis of the attacks is included in the original article.
Earth Vetala represents an interesting threat. While it possesses remote access capabilities, the attackers seem to lack the expertise to use all of these tools correctly. This is unexpected since we believe this attack is connected to the MuddyWater threat actors — and in other connected campaigns, the attackers have shown higher levels of technical skill.
Our findings in this area were made possible by our Dedicated Intelligence Research (DIR) analysts. They are on-hand to help organizations reach important decisions and understand the nature of the security challenges they face.
MITRE ATT&CK technique mapping and Indicators of Compromise can also be found in the original article.