Iran’s latest weapon arsenal analysis of APT34

Recently, our team captured a sample of the Iranian APT Group APT34 (also known as OilRig) against Lebanon, using a variant file we called the SideTwist backdoor.

Since the leak of the APT34 tool by a group called “Lab Dookhtegan” in 2019, the APT34 group has been actively redeveloping and updating its payload library to try to avoid detection, thus creating several different malware variants. The goal remains the same: to obtain persistence capabilities on the target device.

Since the DNSpionage event in 2018, APT34 has been observed to target individuals through the use of decoy and phishing Offer documents, which are directly delivered to selected targets through LinkedIn messages. This activity was operated through HardPass until 2019, where the LinkedIn platform was used in the same way.

In the latest activity in January, Lebanon (a common target of APT34) submitted a document to VirusTotal, which also described the Offer document. In this case, we cannot confirm the initial attack time of the target.

In the following article, we analyzed the latest infection chain used by attackers and delved into new malware variants.

A malicious macro creates a DNS tunnel

Our analysis started with a malicious Microsoft Word document named Job-Details.doc (md5: 6615c410b8d7411ed14946635947325e).


The decoy document looks like a normal document and offers various positions at Ntiva IT Consulting (a company based in Virginia, USA).

However, once the user activates the embedded malicious macro, the complete infection process will be triggered:


SideTwist variant

The at this stage is a variant that we have never seen in the previous APT34 attack samples, but the functions provided are simple and similar to other C-based backdoors used by the team: DNSpionage and TONEDEAF and TONEDEAF2.0 .

The functions of the include downloading, uploading and executing Shell commands.

The persistence of the infection chain is actually caused by the execution of the malicious macro code in the first stage, and the payload in the second stage does not have any persistence mechanism of its own.

After the first stage load is executed, when the scheduled task is registered, the SystemFailureReporter scheduled task will execute the second stage load every 5 minutes:


The is very dependent on this persistence mechanism, because every time the backdoor is started, it will only execute a single command provided from the C&C server and close it immediately until it is started again by the scheduled task.

The backdoor first collects basic information about the victim’s computer, and then calculates a 4-byte victim identifier based on the user name, computer name, and domain name of the target environment. This identifier will be used in subsequent C&C communications.