Recent cybersecurity investigations have revealed that hackers believed to be affiliated with Iran are intensively targeting academic institutions, government bodies, and tourism organizations throughout the Middle East and its neighboring countries. This campaign appears to be focused on espionage and data theft.
Trend Micro has named this operation “Earth Vetala,” building upon previous findings by Anomali which reported malicious activities aimed at government entities in the UAE and Kuwait, employing vulnerabilities in the ScreenConnect remote management tool.
Researchers at Trend Micro have linked these attacks with moderate confidence to a group known as MuddyWater, an Iranian hacking collective that has historically focused its efforts on Middle Eastern nations. This connection underscores the persistence and sophistication of the threat landscape in the region.
The Earth Vetala campaign reportedly utilizes spear-phishing emails embedding links to the file-sharing service Onehub. Malicious payloads vary, including password dumps and bespoke backdoors, alongside attempts to communicate with a command-and-control (C2) server for executing obfuscated PowerShell scripts.
The malicious links redirect victims to a .ZIP file that contains legitimate software developed by RemoteUtilities, which allows unauthorized access capabilities such as file management, process execution, and screenshot capture. This method of disguising malware within legitimate software illustrates a sophisticated approach to bypassing security measures.
| Affected Countries |
Trend Micro observed that the tactics and techniques used in the Earth Vetala operation closely mirror those exploited in previous campaigns utilizing ScreenConnect. The recent series of attacks have primarily targeted organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE, indicating a strategic focus on entities across the region.
In a notable instance tied to a compromised system in Saudi Arabia, researchers found that the attacker made an unsuccessful attempt to configure SharpChisel, a C# wrapper for the TCP/UDP tunneling tool known as Chisel, for C2 communications. Subsequently, they attempted to download various remote access tools, credential stealers, and a PowerShell backdoor capable of executing arbitrary commands remotely.
Trend Micro remarked that Earth Vetala presents a unique threat profile. Despite demonstrating remote access capabilities, the attackers appear to lack the technical acumen to utilize these sophisticated tools effectively, which contrasts with typical behaviors observed in other MuddyWater-related campaigns where attackers have exhibited a higher degree of skill.
