Threats Feed

Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

OilRig targeted a telecommunications organization in the Middle East using a variant of their RDAT tool, featuring a novel email-based command and control (C2) channel that employs steganography. This method hides commands and data within bitmap images attached to emails, making detection difficult. The attack involved custom Mimikatz tools for credential dumping, Bitvise for SSH tunneling, and PowerShell downloaders. RDAT has been under development since 2017, evolving to include DNS tunneling and Exchange Web Services (EWS) for C2 communications. The use of steganographic images in emails represents a sophisticated evasion technique.

IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.

The RogueRobin malware, developed by the DarkHydrus group, employs DNS tunneling for covert communications in cyberattacks targeting government and educational institutions. The malware appears in two variants: a PowerShell and a .NET executable, both facilitating commands and control operations via encoded DNS queries. This series explores differences in their operation, emphasizing persistence methods and anti-analysis tactics. The technical nuances of RogueRobin, including its innovative DNS record types, highlight its role in sophisticated cyber espionage campaigns.

APT34 has launched a new campaign targeting United States-based research services company Westat, and its customers, employing a modified toolset. The attack was discovered in late January 2020 and initiated with a spear-phishing operation using a disguised employee satisfaction survey file, survey.xls. Once the victim enabled macros, malicious VBA code executed, extracting and installing a more advanced and stealthy variant of the TONEDEAF malware, TONEDEAF 2.0. The attackers also possibly used a VALUEVAULT implant for browser credential theft. The effort demonstrates APT34's substantial investment in upgrading its toolset to evade future detection.

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

APT34 primarily targets Middle Eastern countries and international organizations across finance, government, energy, chemical engineering, and telecommunications sectors. Disclosed by Lab Dookhtegan, APT34 employs various attack methods, including SQL injection, brute-force cracking, and 0-day exploits. The group frequently uses web shells injected into compromised systems to maintain control. Top attacked countries include the United Arab Emirates, China, Jordan, and Saudi Arabia. The compromised enterprises predominantly belong to government (36%), finance (17%), service provider (12%), and media (7%) sectors. APT34's attacks typically begin with exploiting web vulnerabilities to gain initial access.

Since at least 2014, APT34, has targeted financial, government, energy, chemical, telecommunications, and other industries in the Middle East. Their Glimpse project uses a file-based command and control structure, including a VBS launcher and a PowerShell payload, with covert channels over DNS. Tools leaked on a Telegram channel were linked to OilRig, confirming their use in multiple intrusions across the Middle East and Asia. The attacks include sophisticated PowerShell scripts for command execution and data exfiltration.

The OilRig group has been actively targeting various sectors, including government, media, energy, and technology across 27 countries. The group has stolen nearly 13,000 credentials, deployed over 100 webshells, and maintained backdoor access to compromised hosts. Techniques include credential dumping with Mimikatz, DNS hijacking, and using PowerShell-based tools like Glimpse and Poison Frog. Their operations involve SQL injections, exploiting public-facing applications, and leveraging webshells for persistent access. The group's sophisticated TTPs underline their persistent threat to diverse industry verticals.

APT34 has been leveraging DNS tunneling for command and control since May 2016. The leaked source code, revealed via a Telegram channel, includes projects like webmask which primarily focus on DNS hijacking and redirection attacks. The attacks target sectors such as technology firms, telecom companies, and gaming companies across the Middle East and Asia, with a particular focus on UAE. The setup involves using NodeJS and Python for DNS servers, an ICAP proxy server to intercept and modify connections, and Haproxy for high availability.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.