Smarter SIEM Alert Management: Improve Visibility without Fatigues

Picus Labs | March 17, 2021
Picus Labs | March 17, 2021
Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, Mercury) APT Group, which has been active throughout 2017. MuddyWater is an Iranian threat group that has mainly targeted countries in the Middle East but has also targeted countries in Europe and North America. The majority of the group's targets are in the telecommunications, government, oil, defense, and financial industries.
MuddyWater utilizes a bunch of tools in its attack campaigns, including
MuddyWater used spearphishing emails in the Earth Vetala attack campaign like its other campaigns [1]. These emails include links to malware droppers hosted in a legitimate file-sharing service, onehub.com. Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Earth Vetala campaign of the MuddyWater APT group:
Picus ID |
Threat Name |
843253 |
RemoteUtilities Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .RTF File Download |
396146 |
PassDump Password Dumper Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .DLL File |
752295 |
RemoteUtilities Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .PDF File Download |
Although RemoteUtilities is a legitimate software, attackers use it as a Remote Administration Trojan (RAT). RemoteUtilities provides remote administration capabilities to attackers, such as file upload/download, file and directory browsing, process start/stop and screenshot grabbing. PassDump is a post-exploitation tool used by MuddyWater to dump credentials.
Picus Threat Library consists of 61 threats of the MuddyWater threat group, including:
References
[1] https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html