A new stealthy backdoor known as Saitama has been discovered in a spear-phishing attempt targeting Jordan’s foreign ministry. Malwarebytes and Fortinet FortiGuard Labs researchers linked the attack to an Iranian cyber espionage threat actor known as APT34, citing similarities to previous campaigns launched by the gang.
“Like many of these attacks, the email contained a malicious attachment,” Fortinet researcher Fred Gutierrez said. “However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs).”
APT34, aka OilRig, Helix Kitten, and Cobalt Gypsy, has been active in the Middle East and North Africa (MENA) since at least 2014 and has a history of targeting the telecom, government, defense, oil, and banking sectors with focused phishing attacks. Earlier this February, ESET linked the group to a long-running information gathering operation targeting diplomatic institutions, technological corporations, and medical groups in Israel, Tunisia, and the UAE.
The newly discovered phishing message includes a weaponized Microsoft Excel document. When opened, it prompts the potential victim to enable macros, allowing a malicious Visual Basic Application (VBA) macro to drop the malware payload (“update.exe”). Moreover, the macro adds a scheduled job that runs every four hours to ensure that the implant is persistent.
Saitama is a.NET-based malware that uses the DNS protocol for command-and-control (C2) communications in order to conceal its traffic, while executing orders received from a C2 server using a “finite-state machine” approach. In the end, Gutierrez noted, this indicates that the virus is getting tasks through a DNS response. As the name implies, DNS tunneling allows other programs or protocols’ data to be encoded in DNS queries and results. The command execution results are then transmitted back to the C2 server, together with the exfiltrated data, in the form of a DNS request.
Because of the time and effort put into building this malware, Gutierrez believes it will not run once and then destroy itself like previous sneaky data thieves. This malware does not create any persistence mechanisms, maybe to prevent triggering any behavioral detections. Instead, a scheduled process is used to generate persistence using an Excel macro.