APT34 Targeting and Arsenal Evolution
APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection of their arsenal: Shifting to new data exfilteration techniques — from the heavy use of DNS-based command and control (C&C) communication to combining it with the legitimate simple mail transfer protocol (SMTP) mail traffic — to bypass any security policies enforced on the network perimeters.
From three previously documented attacks, we observed that while the group uses simple malware families, these deployments show the group’s flexibility to write new malware based on researched customer environments and levels of access. This level of skill can make attribution for security researchers and reverse engineers more difficult in terms of tracking and monitoring because patterns, behaviors, and tools can be completely different for every compromise.
For instance, in the two separate attacks using Karkoff (detected by Trend Micro as Backdoor.MSIL.OILYFACE.A) in 2020 and Saitama (detected by Trend Micro as Backdoor.MSIL.AMATIAS.THEAABB) in 2022, the group used macros inside Excel files as part of the first stage to send phishing emails since the group did not have access to the enterprise yet. Contrary to this newest compromise, however, the first stage was rewritten completely in DotNet and executed by the actor directly.
Moreover, Karkoff malware has a full backdoor module using a government exchange server as a communication channel via send/received commands over an exchanged server, and used a hardcoded account to authenticate the said communication. Compared to the new malware, the latest compromise seems to be rewritten to use the same technique but only to exfiltrate data over the mail channel. Aside from using hardcoded accounts as exchange accounts, APT34 can add a new module that can monitor changes in passwords and use the new accounts to send mails, exfiltrating data via Microsoft Exchange servers.
Based on a 2019 report on APT34, the top countries targeted by the group are:
- The United Arab Emirates
- Saudi Arabia
While not at the top of the group’s list, other countries in the Middle East considered as targets are Qatar, Oman, Kuwait, Bahrain, Lebanon, and Egypt.
There are several data points and indicators that suggest APT34 carried out this attack, and that this group is still active in targeting countries in the Middle East with a special focus on compromising government entities.
1. The first stage dropper
The first stage dropper between the Saitama backdoor and this new operation’s first stage .Net dropper have a few similarities. Despite the dated Saitama operation’s first stage dropper, a VBA macro that drops the actual .Net backdoor Saitama malware, the new attack implemented in the group’s latest deployment is a .Net dropper that drops the actual malware. Both deployments’ final stages leverage EWS’ Managed API (Microsoft.Exchange.WenServices.dll).
Read More HERE