Researchers uncover a new Iranian malware used in recent cyberattacks

An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems.

Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology.

APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East.

password auditor

The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages, and the latest campaign is no exception, although the mode of delivery remains unclear as yet.

The Word document analyzed by Check Point — which was uploaded to VirusTotal from Lebanon on January 10 — claims to offer information about different positions at a U.S.-based consulting firm named Ntiva IT, only to trigger the infection chain upon activating the embedded malicious macros, ultimately resulting in the deployment of a backdoor called “SideTwist.”

Aside from gathering basic information about the victim’s machine, the backdoor establishes connections with a remote server to await additional commands that allow it to download files from the server, upload arbitrary files, and execute shell commands, the results of which are posted back to the server.

password auditor

Check Point notes that the use of new backdoor points to the group’s ongoing efforts to overhaul and update their payload arsenal in the wake of a 2019 leak of its hacking tools, which also doxxed several officers of the Iranian Ministry of Intelligence who were involved with APT34 operations.

“Iran backed APT34 shows no sign of slowing down, further pushing its political agenda in the middle-east, with an ongoing focus on Lebanon — using offensive cyber operations,” the researchers said. “While maintaining its modus operandi and reusing old techniques, the group continues to create new and updated tools to minimize the possible detection of their tools by security vendors.”

Source

Next Post

Home windows ten is certainly lastly getting a 64-bit edition associated with Microsoft's OneDrive syncing application

Fri Apr 9 , 2021
Ms offers released the 64-bit edition of its OneDrive file-syncing app intended for Windows 10, bringing up in order to par using the 64-bit version that can be found intended for Apple’s MacBooks.   The OneDrive 64-bit syncing app is available in for the time being like a public preview, […]