APT34, the Iranian threat actor known by various aliases such as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig, has surfaced in connection with a fresh phishing campaign. This campaign takes an intricate route, culminating in the deployment of a SideTwist backdoor variant.
Notably, APT34 has garnered a reputation for its advanced attack techniques, capable of tailoring intrusion methods to suit diverse targets. Operating in the Middle East since 2014, their primary focus has been on telecommunications, government, defense, oil, and financial services sectors. Spear-phishing has been their modus operandi, leading to the deployment of various backdoors.
What distinguishes this threat actor is their proficiency in crafting novel tools and updates, designed to evade detection and maintain control over compromised systems. SideTwist, an implant characterized by its file download/upload and command execution capabilities, was first attributed to APT34 in April 2021, as per findings by Check Point.
The attack chain observed by NSFOCUS Security Labs commences with a bait Microsoft Word document housing a malicious macro. This macro extracts and initiates the execution of a Base64-encoded payload stored within the document.
The payload, in this case, is a SideTwist variant, compiled using GCC, which establishes communication with a remote server (11.0.188[.]38) for further command reception.
In a related development, Fortinet FortiGuard Labs uncovered a phishing campaign disseminating a new Agent Tesla variant via a specially crafted Microsoft Excel document. This document leverages CVE-2017-11882, a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor, as well as CVE-2018-0802.
CVE-2017-11882 has remained a favored choice among threat actors, with data from cybersecurity firm Qualys indicating its exploitation by 467 malware strains, 53 threat actors, and 14 ransomware strains as recently as August 31, 2023.
These revelations come in the wake of yet another phishing attack strategy employing ISO image file lures to deliver a range of malware strains, including Agent Tesla, LimeRAT, and Remcos RAT, to compromised hosts.
