Picus Threat Library Updated for Earth Vetala Campaign of MuddyWater APT Group

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater (also known as  TEMP.Zagros, Static Kitten, Seedworm, Mercury) APT Group, which has been active throughout 2017. MuddyWater is an Iranian threat group that has mainly targeted countries in the Middle East but has also targeted countries in Europe and North America. The majority of the group's targets are in the telecommunications, government, oil, defense, and financial industries.

MuddyWater utilizes a bunch of tools in its attack campaigns, including

• Custom tools: POWERSTATS (PowerMud) PowerShell-based first stage backdoor, SHARPSTATS .NET backdoor
• Tools also used by other threat actors: CrackMapExec (CME) post-exploitation tool, Empire and Koadic post-exploitation frameworks, LaZagne and Mimikatz credential dumper, PowerSploit PowerShell-based offensive security framework.

Earth Vetala Campaign

MuddyWater used spearphishing emails in the Earth Vetala attack campaign like its other campaigns [1]. These emails include links to malware droppers hosted in a legitimate file-sharing service, onehub.com. Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Earth Vetala campaign of the MuddyWater APT group:

Although RemoteUtilities is a legitimate software, attackers use it as a Remote Administration Trojan (RAT). RemoteUtilities provides remote administration capabilities to attackers, such as file upload/download, file and directory browsing, process start/stop and screenshot grabbing. PassDump is a post-exploitation tool used by MuddyWater to dump credentials.

Other Threats of MuddyWater in Picus Threat Library

Picus Threat Library consists of 61 threats of the MuddyWater threat group, including:

• Operation Quicksand
• Covicli backdoor
• Delphstats Backdoor
• POWERSTATS (PowerMud) Backdoor
• PowGoop Loader
• SSF.MX Backdoor
• Sharpstats Backdoor
• LaZagne credential dumper
• Empire post-exploitation framework
• Mimikatz credential dumper

MITRE ATT&CK Techniques used by MuddyWater

• T1003.001 OS Credential Dumping: LSASS Memory
• T1005 Data from Local System
• T1012 Query Registry
• T1027 Obfuscated Files or Information
• T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
• T1047 Windows Management Instrumentation
• T1053.005 Scheduled Task/Job: Scheduled Task
• T1055.001 Process Injection: Dynamic-link Library Injection
• T1055.002 Process Injection: Portable Executable Injection
• T1056.001 Input Capture: Keylogging
• T1057 Process Discovery
• T1059.001 Command and Scripting Interpreter: PowerShell
• T1087.001 Account Discovery: Local Account
• T1113 Screen Capture
• T1123 Audio Capture
• T1134 Access Token Manipulation
• T1482 Domain Trust Discovery
• T1543.003 Create or Modify System Process: Windows Service
• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1547.005 Boot or Logon Autostart Execution: Security Support Provider
• T1552.002 Unsecured Credentials: Credentials in Registry
• T1552.006 Unsecured Credentials: Group Policy Preferences
• T1555 Credentials from Password Stores
• T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
• T1566.02 Phishing: Spearphishing Link
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
• T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable
• T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking
• T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path

References

[1] https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html