Iran-linked APT34 group is targeting US federal workers

Iran-linked APT34 group has targeted a U.S.-based research company that provides services to businesses and government organizations.

Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations.

“Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting Westat employees, or United States organizations hiring Westat services.” reads the analysis published by Intezer.

The experts believe that the attacker was launched by the cyber-espionage group APT34 (aka OilRig or Helix Kitten). APT34 is an Iran-linked APT group that has been around since at least 2014, it mainly targeted organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware.

According to Intezer, the attackers used a phishing document masquerading as an employee satisfaction survey for employees at the US government contractor Westat.

The survey distributed via email as Excel spreadsheets. Once the macros inside the were enabled, the malicious code downloaded and installed the TONEDEAF backdoor and the VALUEVAULT password stealer.

“The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”.” continues the analysis.

“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.”

Both malware used in this campaign (tracked as TONEDEAF 2.0 and VALUEVAULT 2.0) were also employed in the campaign observed in July 2019, but they include major updates that changes were developed for this specific attack.

The C2 domain (manygoodnews[.]com) is still active and was created 4 months ago, experts added that a certificate was issued for the website just a month ago, a circumstance that suggests the campaign is still ongoing.

The TONEDEAF backdoor communicates with its C&C via HTTP, but version 2.0 uses a revamped communication protocol. The new variant of the malware only implements shell execution capabilities.

TONEDEAF 2.0 was improved to evade detection and implements dynamic importing, string decoding, and a new technique to deceive its victims into believing it is a legitimate, broken app.

TONEDEAF 2.0 used HTTP for C2 communication, but experts noticed it is using a custom encoding and handshake mechanisms.

The experts believe that attackers also employed VALUEVAULT implant in this campaign, they noticed that a user from Lebanon uploaded to VirusTotal versions of the bait document leading to VALUEVAULT and TONEDEAF 2.0.

“This VALUEVAULT takes a more minimalistic approach than its predecessor. Many functionalities and strings were stripped from the new binary in order to lower its noise. Only Chrome password dumping is now supported, although interestingly the use of the file “fsociety.dat” as a password data store under the “AppData\Roaming” directory stayed the same.” states the experts.

Another evidence collected by the researchers is that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.

“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally off,” concludes Intezer.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT34, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]