Phishing Attacks Introduce Fresh SideTwist Backdoor and Agent Tesla Variant

Written by Andrew Doyle

September 6, 2023

Phishing Attacks Introduce Fresh SideTwist Backdoor and Agent Tesla Variant

APT34, the Iranian threat actor known by various aliases such as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig, has surfaced in connection with a fresh phishing campaign. This campaign takes an intricate route, culminating in the deployment of a SideTwist backdoor variant.

Notably, APT34 has garnered a reputation for its advanced attack techniques, capable of tailoring intrusion methods to suit diverse targets. Operating in the Middle East since 2014, their primary focus has been on telecommunications, government, defense, oil, and financial services sectors. Spear-phishing has been their modus operandi, leading to the deployment of various backdoors.

What distinguishes this threat actor is their proficiency in crafting novel tools and updates, designed to evade detection and maintain control over compromised systems. SideTwist, an implant characterized by its file download/upload and command execution capabilities, was first attributed to APT34 in April 2021, as per findings by Check Point.

The attack chain observed by NSFOCUS Security Labs commences with a bait Microsoft Word document housing a malicious macro. This macro extracts and initiates the execution of a Base64-encoded payload stored within the document.

Phishing Attacks Introduce Fresh SideTwist Backdoor and Agent Tesla Variant

The payload, in this case, is a SideTwist variant, compiled using GCC, which establishes communication with a remote server (11.0.188[.]38) for further command reception.

In a related development, Fortinet FortiGuard Labs uncovered a phishing campaign disseminating a new Agent Tesla variant via a specially crafted Microsoft Excel document. This document leverages CVE-2017-11882, a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor, as well as CVE-2018-0802.

CVE-2017-11882 has remained a favored choice among threat actors, with data from cybersecurity firm Qualys indicating its exploitation by 467 malware strains, 53 threat actors, and 14 ransomware strains as recently as August 31, 2023.

These revelations come in the wake of yet another phishing attack strategy employing ISO image file lures to deliver a range of malware strains, including Agent Tesla, LimeRAT, and Remcos RAT, to compromised hosts.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!