Threats Feed

The Lyceum APT targets the oil, gas and telecommunications sectors in the Middle East, focusing on credential theft and network infiltration through a multi-stage attack chain. The initial infection involves malicious Microsoft Office documents that deploy DanDrop, a VBA-based malware dropper that installs DanBot, a remote access Trojan used for ongoing control. The group also uses PowerShell scripts, including keyloggers and credential decryption tools, to gather sensitive data from Active Directory and RDCMan configurations. The sophisticated attack chain used by this cybercrime group highlights the ongoing threat to critical infrastructure in the Middle East.

Microsoft reports that the Iranian APT group MERCURY (aka MuddyWater) is actively exploiting the Zerologon vulnerability (CVE-2020-1472) to compromise Active Directory services. Known for targeting Middle Eastern governments for data exfiltration, MERCURY has also exploited the SharePoint vulnerability (CVE-2019-0604) to implant web shells for persistent access. These attacks often involve Cobalt Strike payloads and lateral movement within networks, focusing on domain controllers. Despite patches released in 2020, exploitation attempts remain widespread, highlighting the need for robust patch management. MERCURY's activities highlight the ongoing threat to governments and other critical sectors in the Middle East.

Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

Rana Intelligence Computing Company (APT39) is an Iranian front group for the Ministry of Intelligence and Security (MOIS) that conducts cyber operations in Asia, Africa, Europe and North America. Its primary targets include the travel, telecommunications, hospitality, academic, and government sectors. Rana used malware delivered via spearphishing, using Visual Basic, PowerShell, AutoIt scripts and BITS malware to steal data, track individuals and maintain persistence. Their campaign targeted over 15 US companies, using scheduled tasks, encryption and obfuscation techniques to evade detection. Rana also deployed Android malware with root access capabilities for C2 communications, audio recording, and photo capture.

In April 2020, Iran-based threat actor TRACER KITTEN targeted a telecommunications company in the EMEA region, leveraging valid credentials and custom backdoors for persistent access and C2 communications. The adversary employed SSH tunnels, masqueraded tools, and rogue Windows services to evade detection. Credential theft attempts involved LSASS dumps via comsvcs.dll and a modified Mimikatz. Reconnaissance was extensive, using native Windows tools to enumerate users, groups, and services, followed by a pass-the-hash attempt with Invoke-TheHash. Early detection allowed defenders to mitigate potential data exfiltration.

Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

OilRig targeted a telecommunications organization in the Middle East using a variant of their RDAT tool, featuring a novel email-based command and control (C2) channel that employs steganography. This method hides commands and data within bitmap images attached to emails, making detection difficult. The attack involved custom Mimikatz tools for credential dumping, Bitvise for SSH tunneling, and PowerShell downloaders. RDAT has been under development since 2017, evolving to include DNS tunneling and Exchange Web Services (EWS) for C2 communications. The use of steganographic images in emails represents a sophisticated evasion technique.

IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.

APT34 has launched a new campaign targeting United States-based research services company Westat, and its customers, employing a modified toolset. The attack was discovered in late January 2020 and initiated with a spear-phishing operation using a disguised employee satisfaction survey file, survey.xls. Once the victim enabled macros, malicious VBA code executed, extracting and installing a more advanced and stealthy variant of the TONEDEAF malware, TONEDEAF 2.0. The attackers also possibly used a VALUEVAULT implant for browser credential theft. The effort demonstrates APT34's substantial investment in upgrading its toolset to evade future detection.

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

APT34 primarily targets Middle Eastern countries and international organizations across finance, government, energy, chemical engineering, and telecommunications sectors. Disclosed by Lab Dookhtegan, APT34 employs various attack methods, including SQL injection, brute-force cracking, and 0-day exploits. The group frequently uses web shells injected into compromised systems to maintain control. Top attacked countries include the United Arab Emirates, China, Jordan, and Saudi Arabia. The compromised enterprises predominantly belong to government (36%), finance (17%), service provider (12%), and media (7%) sectors. APT34's attacks typically begin with exploiting web vulnerabilities to gain initial access.

Since at least 2014, APT34, has targeted financial, government, energy, chemical, telecommunications, and other industries in the Middle East. Their Glimpse project uses a file-based command and control structure, including a VBS launcher and a PowerShell payload, with covert channels over DNS. Tools leaked on a Telegram channel were linked to OilRig, confirming their use in multiple intrusions across the Middle East and Asia. The attacks include sophisticated PowerShell scripts for command execution and data exfiltration.