Threats Feed|APT34|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date09/11/2019

Leaked Toolkit Exposes APT34’s Sophisticated Cyberattacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Backdoor,Malware,RAT
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

Reference and Credit: NSFOCUS - November 2019

APT34 Event Analysis Report

Detected Targets

TypeDescriptionConfidence
CaseChina Energy Conservation and Environmental Protection Group
China Energy Conservation and Environmental Protection Group Corporation formerly known as China Energy Conservation Investment Corporation is a Beijing-based state-owned enterprise established in 1988 by the State Council of the People's Republic of China. China Energy Conservation and Environmental Protection Group has been targeted by APT34 as the main target.
Verified
CaseChina Railway Construction Corporation
China Railway Construction Corporation Limited (abbreviated CRCC) is a listed construction enterprise based in Beijing, China, that was the second largest construction and engineering company in the world by revenue in 2014. China Railway Construction Corporation has been targeted by APT34 as the main target.
Verified
CaseWestern Securities Co., Ltd
Western Securities Co., Ltd., which was founded and approved by the China Securities Regulatory Commission in January 2001, is a leading securities institution in northwest China with registered capital of 1billion RMB. Western Securities Co., Ltd has been targeted by APT34 as the main target.
Verified
SectorFinancial
Verified
SectorGovernment Agencies and Services
Verified
SectorEnergy
Verified
SectorTelecommunication
Verified
SectorTransportation
Verified
RegionAlbania
Verified
RegionBahrain
Verified
RegionCambodia
Verified
RegionChina
Verified
RegionEgypt
Verified
RegionIsrael
Verified
RegionJordan
Verified
RegionKuwait
Verified
RegionLebanon
Verified
RegionMacau
Verified
RegionMexico
Verified
RegionMyanmar
Verified
RegionNigeria
Verified
RegionPalestine
Verified
RegionQatar
Verified
RegionSaudi Arabia
Verified
RegionSomalia
Verified
RegionSouth Korea
Verified
RegionTaiwan
Verified
RegionThailand
Verified
RegionTurkey
Verified
RegionUnited Arab Emirates
Verified
RegionZimbabwe
Verified
RegionMiddle East Countries
Verified

Exploited Vulnerabilities

NIST NVD: CVE-2017-11882

Extracted IOCs

  • myleftheart[.]com
  • 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
  • 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
  • 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
  • 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
  • a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
  • b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
  • c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
  • dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
  • fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
download

Tip: 10 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.

Overlaps

OilRigUnraveling PoisonFrog: DNS Tunneling Tactics of OilRig Explored

Source: IronNet - September 2019

Detection (one case): myleftheart[.]com

APT34Cyber-Espionage in the Middle East: A Deep Dive into APT34's Operations

Source: Cyware - August 2019

Detection (nine cases): 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741, 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (seven cases): 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392, myleftheart[.]com

APT34APT34 Leak Exposes Espionage Tools and Tactics of Iranian Cyber Actors

Source: APT34 / OILRIG Leak, Quick Analysis - April 2019

Detection (10 cases): 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741, 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392, myleftheart[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
APT34
View APT34's Insights