Threats Feed|APT34|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date20/12/2023

Menorah Malware: APT34’s Espionage Tool in Middle East Campaigns

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Menorah malware, used by the APT34 threat group to target organisations in the Middle East, creates a mutex to ensure single-instance operation. The malware exfiltrates data and executes commands from a hardcoded command and control (C2) server. These commands include creating processes, listing files, downloading files and exfiltrating arbitrary data. The analysis provides technical details, including SHA256 hashes, mutex identifiers and the address of the C2 server, to aid detection and response efforts.

Reference and Credit: SecurityScorecard - December 2023

A detailed analysis of the Menorah malware used by APT34

Detected Targets

TypeDescriptionConfidence
RegionMiddle East Countries
Verified

Extracted IOCs

  • tecforsc-001-site1.gtempurl[.]com
  • 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
  • hxxp://tecforsc-001-site1.gtempurl[.]com/ads.asp
download

Tip: 3 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 1 file hash) to this threat have been found.

Overlaps

APT34APT34's Menorah Malware: A Look at the New Cyber Threat Targeting Saudi Arabia

Source: Trend Micro - September 2023

Detection (three cases): hxxp://tecforsc-001-site1.gtempurl[.]com/ads.asp, 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345, tecforsc-001-site1.gtempurl[.]com

OilRigOilRig's Dual Campaigns Against Israeli Organizations: A Deep Dive

Source: ESET - September 2023

Detection (one case): tecforsc-001-site1.gtempurl[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
APT34
View APT34's Insights