The Iranian risk actor tracked as APT34 has been linked to a brand new phishing assault that results in the deployment of a variant of a backdoor known as SideTwist.
“APT34 has a excessive degree of assault know-how, can design totally different intrusion strategies for various kinds of targets, and has provide chain assault functionality,” NSFOCUS Safety Labs mentioned in a report printed final week.
APT34, additionally identified by the names Cobalt Gypsy, Hazel Sandstorm (previously Europium), Helix Kitten, and OilRig, has a observe report of concentrating on telecommunications, authorities, protection, oil and monetary companies verticals within the Center East since no less than 2014 by way of spear-phishing lures that culminate within the deployment of varied backdoors.
One of many key traits of the hacking outfit is its potential to create new and up to date instruments to reduce the percentages of detection and achieve a foothold on compromised hosts for prolonged intervals of time.
SideTwist was first documented as utilized by APT34 in April 2021, with Examine Level describing it as an implant able to file obtain/add and command execution.
The assault chain recognized by NSFOCUS begins with a bait Microsoft Phrase doc that embeds inside a malicious macro, which, in flip, extracts and launches the Base64-encoded payload saved within the file.
The payload is a variant of SideTwist that is compiled utilizing GCC and establishes communication with a distant server (11.0.188[.]38) to obtain additional instructions.
The event comes as Fortinet FortiGuard Labs captured a phishing marketing campaign that spreads a brand new Agent Tesla variant utilizing a specifically crafted Microsoft Excel doc that exploits CVE-2017-11882, a six-year-old reminiscence corruption vulnerability in Microsoft Workplace’s Equation Editor, and CVE-2018-0802.
“The Agent Tesla core module collects delicate info from the sufferer’s gadget,” security researcher Xiaopeng Zhang mentioned. “This info consists of the saved credentials of some software program, the sufferer’s keylogging info, and screenshots.”
Based on information shared by cybersecurity agency Qualys, CVE-2017-11882 stays one of the crucial favored flaws thus far, exploited by “467 malware, 53 risk actors, and 14 ransomware” as just lately as August 31, 2023.
It additionally follows the invention of one other phishing assault that has been discovered to make use of ISO picture file lures to launch malware strains reminiscent of Agent Tesla, LimeRAT, and Remcos RAT on contaminated hosts.