Latest Update26/12/2024

Threats Feed

  1. Public

    Veaty and Spearal Malware Used in Targeted Iraqi Government Attacks

    Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.

    read more about Veaty and Spearal Malware Used in Targeted Iraqi Government Attacks
  2. Public

    APT34 Targets U.S. Enterprises with New SideTwist Trojan Variant

    APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

    read more about APT34 Targets U.S. Enterprises with New SideTwist Trojan Variant
  3. Public

    Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign

    The article from Check Point Research focuses on the resurgence of Iran's APT34 cyber espionage group, which has updated its tactics and tools. This group, also known as OilRig, has targeted a Lebanese entity using a new backdoor variant named "SideTwist". They have refined their strategies to evade detection, continuing their pattern of using job opportunity documents to deliver malware through LinkedIn. The article provides an in-depth analysis of the infection chain, the malware's capabilities, and its persistence techniques. It aligns with APT34's history of targeting Middle Eastern entities, underscoring the ongoing cyber threats in the region.

    read more about Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign
  4. Public

    Persistent Exploits in Microsoft Outlook: Iranian Hackers Bypass Security Patches

    Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

    read more about Persistent Exploits in Microsoft Outlook: Iranian Hackers Bypass Security Patches
  5. Public

    Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets

    The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

    read more about Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets
  6. Public

    COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign

    SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

    read more about COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign