Iranian Hackers Exposed in a Highly Targeted Espionage Campaign
Threat analysts have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools.
The attack involved advanced anti-detection and anti-analysis techniques and had some characteristics that indicate lengthy and careful preparation.
Security researchers at Fortinet have gathered evidence and artifacts from the attack in May 2022 and compiled a technical report to highlight APT34’s latest techniques and methods.
The spear-phishing email seen by Fortinet targeted a Jordanian diplomat, pretending to be from a colleague in the government, with the email address spoofed accordingly.
The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL.
The macro also creates persistence for the malicious executable (update.exe) by adding a scheduled task that repeats every four hours.
“Since Excel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines,” comment Fortinet’s analysts.
Another unusual finding concerns two anti-analysis mechanisms implemented in the macro: the toggling of sheet visibility in the spreadsheet and the other a check for the existence of a mouse, which may not be present on malware analysis sandbox services.
The malicious executable is a .NET binary that checks program states and puts itself to sleep for eight hours after launching. The analysts believe the hackers probably set this delay on the assumption that the diplomat would open the email in the morning and leave after eight hours so that the computer would be unattended.
When active, the malware communicates with C2 subdomains using a domain generation algorithm (DGA) tool. DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.
It then sets up a DNS tunnel to communicate with the provided IP address. This is a rarely seen technique that helps threat actors encrypt the data exchanged in the context of this communication, making it hard for network monitors to catch anything suspicious.
Some of the domains used in the campaign are suspiciously named, obviously attempting to masquerade as well-known and trusted entities like AstraZeneca, HSBC, and Cisco.
Next, the C2 sends twenty-two different backdoor commands to the malware, which are executed through PowerShell or the Windows CMD interpreter.
Finally, the exfiltration of stolen data is done via DNS, with the data embedded into the request, making it appear standard in network logs.
As such, Fortinet’s report is valuable for researchers and defenders alike, who should take note of the published indicators of compromise.