APT34 Strikes Again: Advanced and Stealthy TONEDEAF 2.0 Targets US Research Services
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Malicious Macro,Malware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
APT34 has launched a new campaign targeting United States-based research services company Westat, and its customers, employing a modified toolset. The attack was discovered in late January 2020 and initiated with a spear-phishing operation using a disguised employee satisfaction survey file, survey.xls. Once the victim enabled macros, malicious VBA code executed, extracting and installing a more advanced and stealthy variant of the TONEDEAF malware, TONEDEAF 2.0. The attackers also possibly used a VALUEVAULT implant for browser credential theft. The effort demonstrates APT34's substantial investment in upgrading its toolset to evade future detection.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Westat According to uncovered phishing documents, the adversary targeted Westat employees or United States companies that used Westat services. Westat is an employee-owned professional services corporation located in Rockville, Maryland, USA. It provides research services to agencies of the U.S. Government, as well as businesses, foundations, and state and local governments. Westat has been targeted by APT34 as the main target. | Verified |
| Sector | Government Agencies and Services | High |
| Sector | Researchers The attack targets the research services sector, specifically federal agencies, businesses, foundations, and state and local governments that utilize Westat's services. | Verified |
| Region | United States The report is mentioned that the targets are Westat employees or United States organizations hiring Westat services. | Verified |
Extracted IOCs
- manygoodnews[.]com
- 20b3d046ed617b7336156a64a0550d416afdd80a2c32ce332be6bbfd4829832c
- 4c323bc11982b95266732c01645c39618550e68f25c34f6d3d79288eae7d4378
- a897164e3547f0ce3aaa476b0364a200769e8c07ce825bcfdc43939dd1314bb1
- c10cd1c78c180ba657e3921ee9421b9abd5b965c4cdfaa94a58e383b45bb72ca
- d61eecd7492dfa461344076a93fc2668dc28943724190faf3d9390f8403b6411
Tip: 6 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.
FAQs
Understanding the New Iranian Cyber Campaign Targeting US Organizations
A new cyberattack campaign has been uncovered where hackers used fake employee surveys to trick individuals into installing malware. The attackers disguised the malicious files using the name and logo of Westat, a US-based research services company.
The campaign has been linked to APT34, an Iranian government-backed hacking group known for espionage activities targeting government entities and critical industries worldwide.
The attackers likely aimed to steal sensitive information, including system access and browser-stored passwords, from individuals working for or connected to Westat. This suggests an effort to gather intelligence or gain access to broader US government networks.
The primary targets appear to be Westat employees and possibly their clients, which may include US federal agencies and contractors participating in surveys or research services provided by Westat.
Victims received malicious Excel files posing as employee satisfaction surveys. If they enabled macros in the document, malware was installed on their computers, which could then receive commands from the attackers and steal stored passwords.
Westat works with various US government agencies and contractors, making it an attractive target for espionage. By compromising such organizations, attackers could gain access to sensitive research data and government-related information.
Organizations should block suspicious email attachments, train staff to recognize phishing attempts, monitor for unusual network activity, and enforce strong password policies with multifactor authentication.
This campaign appears to be a targeted operation, focusing specifically on Westat and its related networks rather than random or widespread attacks against the general public.