In a new cyberespionage campaign against a Lebanese target, a known Iranian threat actor deploys a new backdoor capable of exfiltrating data from compromised systems, downloading/uploading arbitrary files, and more.
Cybersecurity firm Check Point believes the operation can be attributed to APT34 due to similarities in the techniques used by the threat actor and the pattern of victimology compared with previously analyzed attacks.
APT34 aka OilRig is an Iranian threat group operating primarily in the Middle East targeting financial, government, energy, chemical, and telecom industries. It is known for its reconnaissance campaigns. Its operations often align with the strategic interests of Iran.
The group typically uses booby-trapped job offer documents, delivered via LinkedIn messages. Although, the method of delivery in the latest campaign remains unclear as of now.
The Word document involved in the current campaign was uploaded to VirusTotal on January 10. It lures victims with information on different positions at a U.S.-based consulting firm named Ntiva IT. The victim triggers the infection chain upon activating the embedded malicious macros. Ultimately, the victim’s machine gets infected with a SideTwist backdoor.
The backdoor then proceeds to gather basic information about the compromised machine. The malware also establishes connections with a remote server that attackers can use to send commands to perform actions like downloading files from the server, uploading arbitrary files, and executing shell commands.
Check Point noted that the Iranian APT34 group shows no signs of slowing down and has been actively updating its arsenal after the 2019 leak of its hacking tools:
“Since the 2019 leak of APT34’s tools by an entity named “Lab Dookhtegan”, the threat group has been actively retooling and updating their payload arsenal… Iran backed APT34 shows no sign of slowing down, further pushing its political agenda in the middle-east, with an ongoing focus on Lebanon — using offensive cyber operations,” the researchers said.