Resources | Picus Security

Picus Threat Library Updated for Earth Vetala Campaign of MuddyWater APT Group

Written by Picus Labs | Mar 17, 2021 10:21:04 AM

Picus Labs has enhanced the Picus Threat Library with new simulations that mirror malware and techniques used in the Earth Vetala campaign attributed to MuddyWater, also tracked as TEMP.Zagros, Static Kitten, Seedworm, and Mercury. Active since at least 2017, MuddyWater is widely assessed as an Iranian state sponsored group that focuses on strategic intelligence collection. The operators have primarily targeted countries in the Middle East and have also expanded to Europe and North America. Victim profiles align with national interest priorities and include telecommunications providers, government agencies, oil and energy firms, defense organizations, and financial institutions. By emulating these behaviors in a safe manner, the updated Picus scenarios let defenders measure real exposure and tune controls based on evidence rather than assumptions.

Earth Vetala operations typically combine social engineering, spearphishing, and exploitation of internet facing services for initial access, followed by persistence and command and control through scripts and legitimate admin tools. Campaign reporting has highlighted heavy use of PowerShell, VBA macros, and remote administration utilities to blend in with normal activity, as well as credential theft and lateral movement to reach high value systems. The new Picus content maps to MITRE ATT&CK across techniques such as phishing, exploitation of public facing applications, scripting, credentials from password stores, and data exfiltration. Security teams can use these tests to validate EDR detections, NDR analytics, SIEM correlations, and email security policies, then prioritize mitigations like multifactor authentication, hardening of remote access, macro restrictions, network segmentation, and continuous validation to ensure coverage against MuddyWater tradecraft.

MuddyWater utilizes a bunch of tools in its attack campaigns, including

  • Custom tools: POWERSTATS (PowerMud) PowerShell-based first stage backdoor, SHARPSTATS .NET backdoor
  • Tools also used by other threat actors: CrackMapExec (CME) post-exploitation tool, Empire and Koadic post-exploitation frameworks, LaZagne and Mimikatz credential dumper, PowerSploit PowerShell-based offensive security framework.

Earth Vetala Campaign

MuddyWater used spearphishing emails in the Earth Vetala attack campaign like its other campaigns [1]. These emails include links to malware droppers hosted in a legitimate file-sharing service, onehub.com. Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Earth Vetala campaign of the MuddyWater APT group:

Picus ID

Threat Name

843253

RemoteUtilities Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .RTF File Download

396146

PassDump Password Dumper Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .DLL File

752295

RemoteUtilities Dropper used by MuddyWater Threat Group in Earth Vetala Campaign .PDF File Download

Although RemoteUtilities is legitimate software, attackers use it as a Remote Administration Trojan (RAT). RemoteUtilities provides remote administration capabilities to attackers, such as file upload/download, file and directory browsing, process start/stop and screenshot grabbing. PassDump is a post-exploitation tool used by MuddyWater to dump credentials.

Other Threats of MuddyWater in Picus Threat Library

Picus Threat Library consists of 61 threats of the MuddyWater threat group, including:

  • Operation Quicksand
  • Covicli backdoor
  • Delphstats Backdoor
  • POWERSTATS (PowerMud) Backdoor
  • PowGoop Loader
  • SSF.MX Backdoor
  • Sharpstats Backdoor
  • LaZagne credential dumper
  • Empire post-exploitation framework
  • Mimikatz credential dumper

MITRE ATT&CK Techniques used by MuddyWater

  • T1003.001 OS Credential Dumping: LSASS Memory
  • T1005 Data from Local System
  • T1012 Query Registry
  • T1027 Obfuscated Files or Information
  • T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
  • T1047 Windows Management Instrumentation
  • T1053.005 Scheduled Task/Job: Scheduled Task
  • T1055.001 Process Injection: Dynamic-link Library Injection
  • T1055.002 Process Injection: Portable Executable Injection
  • T1056.001 Input Capture: Keylogging
  • T1057 Process Discovery
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1087.001 Account Discovery: Local Account
  • T1113 Screen Capture
  • T1123 Audio Capture
  • T1134 Access Token Manipulation
  • T1482 Domain Trust Discovery
  • T1543.003 Create or Modify System Process: Windows Service
  • T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1547.005 Boot or Logon Autostart Execution: Security Support Provider
  • T1552.002 Unsecured Credentials: Credentials in Registry
  • T1552.006 Unsecured Credentials: Group Policy Preferences
  • T1555 Credentials from Password Stores
  • T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
  • T1566.02 Phishing: Spearphishing Link
  • T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
  • T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable
  • T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking
  • T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path

References

[1] https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

View full post