Threats Feed

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.

APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

The article from Check Point Research focuses on the resurgence of Iran's APT34 cyber espionage group, which has updated its tactics and tools. This group, also known as OilRig, has targeted a Lebanese entity using a new backdoor variant named "SideTwist". They have refined their strategies to evade detection, continuing their pattern of using job opportunity documents to deliver malware through LinkedIn. The article provides an in-depth analysis of the infection chain, the malware's capabilities, and its persistence techniques. It aligns with APT34's history of targeting Middle Eastern entities, underscoring the ongoing cyber threats in the region.