apt34

Iran’s latest weapon arsenal analysis of APT34

Recently, our team captured a sample of the Iranian APT Group APT34 (also known as OilRig) against Lebanon, using a variant file we called the SideTwist backdoor.

Since the leak of the APT34 tool by a group called “Lab Dookhtegan” in 2019, the APT34 group has been actively redeveloping and updating its payload library to try to avoid detection, thus creating several different malware variants. The goal remains the same: to obtain persistence capabilities on the target device.

Since the DNSpionage event in 2018, APT34 has been observed to target individuals through the use of decoy and phishing Offer documents, which are directly delivered to selected targets through LinkedIn messages. This activity was operated through HardPass until 2019, where the LinkedIn platform was used in the same way.

In the latest activity in January, Lebanon (a common target of APT34) submitted a document to VirusTotal, which also described the Offer document. In this case, we cannot confirm the initial attack time of the target.

In the following article, we analyzed the latest infection chain used by attackers and delved into new malware variants.

A malicious macro creates a DNS tunnel

Our analysis started with a malicious Microsoft Word document named Job-Details.doc (md5: 6615c410b8d7411ed14946635947325e).

apt34

The decoy document looks like a normal document and offers various positions at Ntiva IT Consulting (a company based in Virginia, USA).

However, once the user activates the embedded malicious macro, the complete infection process will be triggered:

apt34

SideTwist variant

The at this stage is a variant that we have never seen in the previous APT34 attack samples, but the functions provided are simple and similar to other C-based backdoors used by the team: DNSpionage and TONEDEAF and TONEDEAF2.0 .

The functions of the include downloading, uploading and executing Shell commands.

The persistence of the infection chain is actually caused by the execution of the malicious macro code in the first stage, and the payload in the second stage does not have any persistence mechanism of its own.

After the first stage load is executed, when the scheduled task is registered, the SystemFailureReporter scheduled task will execute the second stage load every 5 minutes:

apt34

The is very dependent on this persistence mechanism, because every time the backdoor is started, it will only execute a single command provided from the C&C server and close it immediately until it is started again by the scheduled task.

The backdoor first collects basic information about the victim’s computer, and then calculates a 4-byte victim identifier based on the user name, computer name, and domain name of the target environment. This identifier will be used in subsequent C&C communications.

apt34

IOCs

sarmsoftware.com

6615c410b8d7411ed14946635947325e
94004648630739c154f78a0bae0bec0a
273488416b5d6f1297501825fa07a5a9325e9b56
9bba72ac66af84253b55dd7789afc90e0344bf25
13c27e5049a7fc5a36416f2c1ae49c12438d45ce50a82a96d3f792bfdacf3dcd
47d3e6c389cfdbc9cf7eb61f3051c9f4e50e30cf2d97499144e023ae87d68d5a