MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Malware,Spear Phishing
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Tourism | Verified |
| Sector | University | Verified |
| Region | Azerbaijan | Verified |
| Region | Bahrain | Verified |
| Region | Israel | Verified |
| Region | Saudi Arabia | Verified |
| Region | United Arab Emirates | Verified |
Extracted IOCs
- 0cd6f593cc58ba3ac40f9803d97a6162a308ec3caa53e1ea1ce7f977f2e667d3
- 304ea86131c4d105d35ebbf2784d44ea24f0328fb483db29b7ad5ffe514454f8
- 3495b0a6508f1af0f95906efeba36148296dccd2ab8ffb4e569254b683584fea
- 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
- 468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254
- 5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd
- 61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2
- 70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b
- 78b1ab1b8196dc236fa6ad4014dd6add142b3cab583e116da7e8886bc47a7347
- 79fd822627b72bd2fbe9eae43cf98c99c2ecaa5649b7a3a4cfdc3ef8f977f2e6
- 8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f
- 9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27
- b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
- ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131
- f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376
- f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393
- fb414beebfb9ecbc6cb9b35c1d2adc48102529d358c7a8997e903923f7eda1a2
- 23[.]94.50.197
- 23[.]95.215.100
- 87[.]236.212.184
Tip: 20 related IOCs (3 IP, 0 domain, 0 URL, 0 email, 17 file hash) to this threat have been found.
Overlaps
Source: Picussecurity - March 2022
Detection (three cases): 468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254, 70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b, ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131
Source: Mandiant - February 2022
Detection (one case): 87[.]236.212.184
Source: Symantec - December 2021
Detection (two cases): 61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2, ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131
Source: Anomali - February 2021
Detection (two cases): 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b, b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.