muddywater

Earth Vetala Operation – MuddyWater Targets Organizations in the Middle East

Trend Micro researchers recently detected attacks targeting the and surrounding areas, and analyzed and confirmed that this event was associated with the MuddyWater Group. ScreenConnect and RemoteUtilities remote management were used in this event. Researchers named these intrusion tools Earth Vetala.

uses spear emails with embedded links that point to legitimate file sharing services and are used to distribute malicious software packages. The links are embedded in decoy documents and emails. 

Researchers noticed that the strategies and techniques used in the two campaigns for distributing RemoteUtilities and ScreenConnect were roughly similar. They stated that the targets of the new campaign were mainly organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia and the UAE.

Analysis

During the research process, an e-mail allegedly from a government agency was discovered. The email tried to persuade the recipient to click the URL and download the malicious file. Eventually it will run RemoteUtilities remote management software.

earth vetala

In this attack, the affected countries are distributed as follows:

earth vetala

IOCs

23.94.50.197:444
23.95.215.100:443
23.95.215.100:8080
87.236.212.184:443
87.236.212.184:8008


09cc6bebec6db77a401507d33ec3987c
2ec61c8b7e57126025ebfdf2438418fc
64fc017a451ef273dcacdf6c099031f3
3c2a436c73eeb398cfc0923d9b08dcfe
7ce27d43bdbb6c9238c5d367a86dc37b
c67d578a14571e4f56430ce4bdc228f9
fa6d5164772ba72dc3931dae8e09b488
71ffc9ebbb80f4e2f405034662dfd424
3c1b429685e5f1853a3cd955bd0acbd7
960594cbdf938bcb03bd0637843d9154
e8e84ac1ae83a45c260df146e97cb1cb
a80eef6604837cceaa16aa2875dafab80434356b
5844344b5cf4c8d0d577f5506c8e5d4d680bd0d6
6aa8b4f4a6fd1b4f768b1ac6faaaddbaa302a585
8afe8c82901a1a07fb92d10457617f7eb16a4eea
bdc8c0a03b3430af66895b5c6f03da00916447ca
c4f00531020b8f7cc865fe26c6e31e358e666831
cf8ad0da6dc45ae7ce87f792b1e60175cefc2b50
dfe1f455adf8a98d94c7217acc763770ada4b4af
09a73164c70426372b431cba80510037eb42feb9
f228e772a31b4fc160cb59cf5627224613f10941
c58370b4114d4d493e141a66cd1484573ccf02b5
61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2
ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131
0cd6f593cc58ba3ac40f9803d97a6162a308ec3caa53e1ea1ce7f977f2e667d3
79fd822627b72bd2fbe9eae43cf98c99c2ecaa5649b7a3a4cfdc3ef8f977f2e6
304ea86131c4d105d35ebbf2784d44ea24f0328fb483db29b7ad5ffe514454f8
fb414beebfb9ecbc6cb9b35c1d2adc48102529d358c7a8997e903923f7eda1a2
3495b0a6508f1af0f95906efeba36148296dccd2ab8ffb4e569254b683584fea
78b1ab1b8196dc236fa6ad4014dd6add142b3cab583e116da7e8886bc47a7347
70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b
468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254
f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393
f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376
8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f
9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27
5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b