New APT34 campaign uses LinkedIn to deliver fresh malware

The APT24 group continues its cyber espionage activity, its members were posing as a researcher from Cambridge to infect victims with three new malware.

Experts at FireEye have uncovered a new espionage campaign carried out by APT34 APT group (OilRig, and HelixKitten.  Greenbug) through LinkedIn. Members of the cyberespionage group were posing as a researcher from Cambridge and asking victims to join their social network.

APT34 is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

According to FireEye, in the new campaign, the hackers masqueraded as a Cambridge lecturer asked the victims to join their networks to send them weaponized documents.

“In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor.” reads the analysis published by FireEye. “Three key attributes caught our eye with this particular campaign:

1. Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,
2. The usage of LinkedIn to deliver malicious documents,
3. The addition of three new malware families to APT34’s arsenal.”

The hackers used three new malware families in the campaign that also involved the Pickpocket, a browser credential-theft tool exclusively linked to APT34 campaigns.

The phishing campaign primarily targeted organizations in the energy and oil and gas, along with government entities.

The fake profiles asked the victims to open the weaponized excel file named ERFT-Details.xls that was used as a dropper. The hackers sent to the victim a LinkedIn message from “Research Staff at University of Cambridge,” the conversation began with the solicitation of resumes for potential job opportunities.

The attack technique observed in this campaign is not new and was used by the cyberspies in other campaigns, threat actors use to exploit the concept of “trust” behind the social networks.

The three malware families involved in this campaign were tracked as for TONEDEAF, VALUEVAULT, and LONGWATCH.

The Tonedeaf malware is a backdoor which communicates with a single command-and-control (C2) server via HTTP GET and POST requests. It supports several commands for collecting system information, uploading and downloading files, and arbitrary shell command execution.

After the FireEye experts identifying the C2 domain, they discovered other two malware families tracked as ValueVault and Longwatch along with a variant of Pickpocket.

ValueVault is a Golang-compiled version of the Windows Vault Password Dumper browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel. Longwatch is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired.” concludes FireEye. “For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT34, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]