An analysis conducted by threat analysts uncovered an unknown cyberattack being committed by Iran’s APT34 group, also known as Oilrig, who, using custom-crafted techniques, attempted to hack the computer of a Jordanian diplomat.
A lengthy and careful preparation was evident in some of the characteristics of the attack, which used advanced anti-detection and anti-analysis techniques.
Earlier this year Fortinet researchers compiled evidence from APT34’s attack in May 2022 as well as artifacts from the attack, in an effort to highlight the latest methods and techniques being used by APT34.
It appears to be a campaign conducted by APT34 based on the attack techniques used in this attack.
Here below we have mentioned the campaign profile to have a clear viewpoint of the campaign:-
- Affected Platforms: Microsoft Windows
- Impacted Users: Targeted Windows users
- Impact: Collects sensitive information from the compromised machine
- Severity Level: Medium
Threat actors targeted diplomats
Using the spoof email address of a government colleague, the spear-phishing email posed as coming from a Jordanian diplomat and pretending to be from that government official.
There was an attachment attached to the e-mail that was a malicious Excel attachment that contained macro code that would generate three files after execution:-
- A malicious executable
- A configuration file
- A signed and clean DLL
A scheduled task is added to the macro that repeats every four hours so that the malicious executable (update.exe) stays persistent.
Malicious executables are .NET binary files that perform state checks and put themselves to sleep after launching for eight hours.
It is likely that the hackers chose this delay in anticipation of the diplomat waking up in the morning to view the email. After opening the email, the diplomat would leave the computer unattended for eight hours.
DGAs are used to communicate with subdomains of C2 when the malware is active. Malware operations on a domain can be more resistant to takedowns and blocking when using DGA, which is a widely-used method.
A DNS tunnel is then established to allow the provided IP address to communicate with the component.
Using this technique, threat actors are able to encrypt the data exchanged in the context of this communication, which makes it difficult for network monitors to detect any unusual activity.
Domain names are suspiciously named in this campaign, clearly trying to fool users into thinking they are handled by well-known and trusted companies like:-
Previously, it was associated with the Islamic Republic of Iran’s government. APT34 is a capable threat actor that operates in the shadows and doesn’t leave many traces behind when it comes to tracking them down.