As part of a long-running espionage effort that began in April 2018, an advanced persistent threat (APT) organization with connections to Iran updated its malware toolkit to incorporate a new backdoor codenamed Marlin. ESET, a Slovak cybersecurity firm, linked the attacks (codenamed “Out to Sea”) to a threat actor known as OilRig (aka APT34). It also clearly linked its activities to another Iranian organization known as Lyceum (Hexane aka SiameseKitten).
“Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates,” as noted by ESET in its T3 2021 Threat Report.
The hacking gang has been known to target Middle Eastern governments and various industry verticals, including chemical, energy, finance, and telecommunications, since at least 2014. In April 2021, the actor used an implant named SideTwist to attack a Lebanese organization, while prior efforts ascribed to Lyceum targeted IT companies in Israel, Morocco, Tunisia, and Saudi Arabia.
Since the campaign’s discovery in 2018, the Lyceum infection chains have developed to drop various backdoors, starting with DanBot and progressing to Shark and Milan in 2021, with attacks reported in August 2021 using a new data collecting malware named Marlin. The changes don’t stop there. Marlin uses Microsoft’s OneDrive API for command-and-control (C2) operations, a substantial shift from past OilRig TTPs, which have used DNS and HTTPS for C&C interactions.
ESET identified parallels in tools and techniques between OilRig’s backdoors and those of Lyceum as “too numerous and specific,” stating that initial access to the network was gained through spear-phishing as well as remote access and management applications like ITbrain and TeamViewer. “The ToneDeaf backdoor primarily communicated with its C&C over HTTP/S but included a secondary method, DNS tunneling, which does not function properly,” the researchers said. “Shark has similar symptoms, where its primary communication method uses DNS but has a non-functional HTTP/S secondary option.”
ToneDeaf is a malware family released in July 2019 by the APT34 actor and targets many Middle Eastern sectors. It can gather system information, upload and download files, and execute arbitrary shell commands. The findings also revealed the usage of several folders in a backdoor’s working directory for uploading and receiving data from the C&C server, as well as the overlapping use of DNS as a C&C communication route while also using HTTP/S as a secondary communication mechanism.