Threats Feed

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

APT34 primarily targets Middle Eastern countries and international organizations across finance, government, energy, chemical engineering, and telecommunications sectors. Disclosed by Lab Dookhtegan, APT34 employs various attack methods, including SQL injection, brute-force cracking, and 0-day exploits. The group frequently uses web shells injected into compromised systems to maintain control. Top attacked countries include the United Arab Emirates, China, Jordan, and Saudi Arabia. The compromised enterprises predominantly belong to government (36%), finance (17%), service provider (12%), and media (7%) sectors. APT34's attacks typically begin with exploiting web vulnerabilities to gain initial access.

Since at least 2014, APT34, has targeted financial, government, energy, chemical, telecommunications, and other industries in the Middle East. Their Glimpse project uses a file-based command and control structure, including a VBS launcher and a PowerShell payload, with covert channels over DNS. Tools leaked on a Telegram channel were linked to OilRig, confirming their use in multiple intrusions across the Middle East and Asia. The attacks include sophisticated PowerShell scripts for command execution and data exfiltration.

APT34 has been leveraging DNS tunneling for command and control since May 2016. The leaked source code, revealed via a Telegram channel, includes projects like webmask which primarily focus on DNS hijacking and redirection attacks. The attacks target sectors such as technology firms, telecom companies, and gaming companies across the Middle East and Asia, with a particular focus on UAE. The setup involves using NodeJS and Python for DNS servers, an ICAP proxy server to intercept and modify connections, and Haproxy for high availability.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The Iranian cyber espionage group APT34 exploited two vulnerabilities (CVE-2017-0199 and CVE-2017-11882) in Microsoft Office to deliver malicious payloads against Middle Eastern governmental organizations. The group utilized spear-phishing emails with malicious .rtf files attached, which upon opening, exploited the vulnerabilities and executed malicious scripts. The scripts, POWRUNER and BONDUPDATER, performed actions such as persistence and command-and-control (C2) communication, including use of a domain generation algorithm (DGA) to evade detection.