{"id":50375,"date":"2023-02-02T00:00:00","date_gmt":"2023-02-02T00:00:00","guid":{"rendered":"urn:uuid:b4b9e7ba-f4e8-d0e2-36d3-b6383b5e1c73"},"modified":"2023-02-02T00:00:00","modified_gmt":"2023-02-02T00:00:00","slug":"new-apt34-malware-targets-the-middle-east","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-apt34-malware-targets-the-middle-east\/","title":{"rendered":"New APT34 Malware Targets The Middle East"},"content":{"rendered":"

<\/p>\n

<\/div>\n

APT34 Targeting and Arsenal Evolution<\/span><\/p>\n

APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014<\/a>. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded<\/a> targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection of their arsenal: Shifting to new data exfilteration techniques \u2014 from the heavy use of DNS-based command and control (C&C) communication to combining it with the legitimate simple mail transfer protocol (SMTP) mail traffic \u2014 to bypass any security policies enforced on the network perimeters.<\/p>\n

From three previously documented attacks, we observed that while the group uses simple malware families, these deployments show the group’s flexibility to write new malware based on researched customer environments and levels of access. This level of skill can make attribution for security researchers and reverse engineers more difficult in terms of tracking and monitoring because patterns, behaviors, and tools can be completely different for every compromise.<\/p>\n

For instance, in the two separate attacks using Karkoff (detected by Trend Micro as Backdoor.MSIL.OILYFACE.A) in 2020<\/a> and Saitama (detected by Trend Micro as Backdoor.MSIL.AMATIAS.THEAABB) in 2022<\/a>, the group used macros inside Excel files as part of the first stage to send phishing emails since the group did not have access to the enterprise yet. Contrary to this newest compromise, however, the first stage was rewritten completely in DotNet and executed by the actor directly.<\/p>\n

Moreover, Karkoff malware has a full backdoor module using a government exchange server as a communication channel via send\/received commands over an exchanged server, and used a hardcoded account to authenticate the said communication. Compared to the new malware, the latest compromise seems to be rewritten to use the same technique but only to exfiltrate data over the mail channel. Aside from using hardcoded accounts as exchange accounts, APT34 can add a new module that can monitor changes in passwords and use the new accounts to send mails, exfiltrating data via Microsoft Exchange servers.<\/p>\n

Based on a 2019 report<\/a> on APT34, the top countries targeted by the group are:<\/p>\n