Threats Feed

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

Earth Simnavaz, also known as APT34 or OilRig, has been targeting governmental entities in the UAE and Gulf region, focusing on the energy sector and critical infrastructure. The group uses sophisticated tactics, including the exploitation of Microsoft Exchange servers for credential theft and privilege escalation via CVE-2024-30088. They employ custom .NET tools, PowerShell scripts, and IIS-based malware to avoid detection. Additionally, the attackers utilize ngrok for persistent access and lateral movement, and manipulate password filters to extract plain-text credentials. These credentials are used for supply chain attacks, with a focus on exfiltrating sensitive data through compromised email servers.

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.

The Menorah malware, used by the APT34 threat group to target organisations in the Middle East, creates a mutex to ensure single-instance operation. The malware exfiltrates data and executes commands from a hardcoded command and control (C2) server. These commands include creating processes, listing files, downloading files and exfiltrating arbitrary data. The analysis provides technical details, including SHA256 hashes, mutex identifiers and the address of the C2 server, to aid detection and response efforts.

APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.

The article from Check Point Research focuses on the resurgence of Iran's APT34 cyber espionage group, which has updated its tactics and tools. This group, also known as OilRig, has targeted a Lebanese entity using a new backdoor variant named "SideTwist". They have refined their strategies to evade detection, continuing their pattern of using job opportunity documents to deliver malware through LinkedIn. The article provides an in-depth analysis of the infection chain, the malware's capabilities, and its persistence techniques. It aligns with APT34's history of targeting Middle Eastern entities, underscoring the ongoing cyber threats in the region.

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.