Threats Feed

Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

APT34 primarily targets Middle Eastern countries and international organizations across finance, government, energy, chemical engineering, and telecommunications sectors. Disclosed by Lab Dookhtegan, APT34 employs various attack methods, including SQL injection, brute-force cracking, and 0-day exploits. The group frequently uses web shells injected into compromised systems to maintain control. Top attacked countries include the United Arab Emirates, China, Jordan, and Saudi Arabia. The compromised enterprises predominantly belong to government (36%), finance (17%), service provider (12%), and media (7%) sectors. APT34's attacks typically begin with exploiting web vulnerabilities to gain initial access.

Since at least 2014, APT34, has targeted financial, government, energy, chemical, telecommunications, and other industries in the Middle East. Their Glimpse project uses a file-based command and control structure, including a VBS launcher and a PowerShell payload, with covert channels over DNS. Tools leaked on a Telegram channel were linked to OilRig, confirming their use in multiple intrusions across the Middle East and Asia. The attacks include sophisticated PowerShell scripts for command execution and data exfiltration.

The OilRig group has been actively targeting various sectors, including government, media, energy, and technology across 27 countries. The group has stolen nearly 13,000 credentials, deployed over 100 webshells, and maintained backdoor access to compromised hosts. Techniques include credential dumping with Mimikatz, DNS hijacking, and using PowerShell-based tools like Glimpse and Poison Frog. Their operations involve SQL injections, exploiting public-facing applications, and leveraging webshells for persistent access. The group's sophisticated TTPs underline their persistent threat to diverse industry verticals.

APT34 has been leveraging DNS tunneling for command and control since May 2016. The leaked source code, revealed via a Telegram channel, includes projects like webmask which primarily focus on DNS hijacking and redirection attacks. The attacks target sectors such as technology firms, telecom companies, and gaming companies across the Middle East and Asia, with a particular focus on UAE. The setup involves using NodeJS and Python for DNS servers, an ICAP proxy server to intercept and modify connections, and Haproxy for high availability.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

DarkHydrus, an adversary group operating primarily in the Middle East, has resumed activities with new tactics, tools, and procedures (TTPs). Recently analyzed by security researchers, the group has been deploying a new variant of the RogueRobin trojan, which now utilizes Google Drive API for command and control (C2) communications. This shift to using legitimate cloud services for C2 indicates an evolution in their operational tactics. The trojan, delivered through macro-enabled Excel documents, exhibits sophisticated evasion techniques, including environment checks and dynamic DNS to mask its C2 communications. The analysis revealed the use of typosquatting and open-source penetration testing tools, underscoring the group’s persistent and evolving threat landscape.

Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.