Threat experts have discovered a new attack ascribed to the Iranian hacking organization known as APT34 or Oilrig, which used custom-crafted tools to target a Jordanian ambassador.
Advanced anti-detection and anti-analysis tactics were used in the attack, which had some characteristics that indicated long and thorough planning.
Fortinet’s security researchers gathered data and artifacts from the May 2022 attack and created a technical paper highlighting APT34’s most recent strategies and methods.
Diplomatic Targets
The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly.
The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious executable, a configuration file, and a signed and clean DLL.
The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence.
“Because Excel is a signed binary, some behavioral detection algorithms may miss sustaining persistence in this fashion,” said Fortinet’s analysts.
Another unique discovery concerns two anti-analysis methods used in the macro: the toggling of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.
The Package’s Payload
The malicious executable is a.NET binary that examines program states and sleeps for eight hours after being launched. The hackers, according to researchers, most likely set the timer based on the idea that the diplomat would open the email in the morning and leave after eight hours, leaving the computer unattended.
The malware uses a domain generation algorithm (DGA) tool to communicate with C2 subdomains when it is active. DGA is a popular approach for making malware activities more resistant to domain takedowns and blacklisting.
It then creates a DNS tunnel to communicate with the IP address specified. This is a rarely encountered approach that allows threat actors to encrypt data transmitted during this contact, making it difficult for network monitoring to detect anything odd.
Some domains utilized in the campaign have dubious names, implying that they are attempting to impersonate well-known and trusted companies such as AstraZeneca, HSBC, and Cisco.
The C2 then sends the virus twenty-two separate backdoor commands to execute via PowerShell or the Windows CMD interpreter.
Finally, stolen data is exfiltrated over DNS, with the data contained in the request, making it appear normal in network logs.
APT34 has been linked to the Iranian government in the past, and it is a skilled threat actor who operates in the shadows, leaving little traces behind.
As a result, Fortinet’s analysis is useful for both researchers and defenders, who should pay attention to the publicly available indicators of compromise.
