Rewterz Threat Alert – APT34 Distributes New SideTwist Backdoor and Agent Telsa Variant – Active IOCs

Severity

High

Analysis Summary

The infamous Iranian threat actor, APT34 (aka Helix Kitten or OilRig), has been linked to a new phishing campaign which has deployed a new variant of the SideTwist backdoor. APT34 is known for its sophisticated attack techniques and its ability to target various sectors such as telecommunications, government, defense, oil, and financial services in the Middle East since at least 2014. Their attacks typically involve spear-phishing lures that lead to the deployment of various backdoors.

One notable characteristic of APT34 is their capability to create new and updated tools to evade detection and maintain control over compromised systems for extended periods. In this recent attack, they used a variant of a backdoor called SideTwist.

SideTwist was first associated with APT34 in April 2021 and is described as an implant with the ability to download/upload files and execute commands. 

According to the researchers, the attack chain begins with a bait Microsoft Word document containing a malicious macro. This macro extracts and launches a Base64-encoded payload stored in the document. This payload is a variant of SideTwist compiled using GCC and establishes communication with a remote server to receive further commands.

Additionally, another security report revealed a phishing campaign that distributes a new variant of the Agent Tesla malware. This campaign utilizes a specially crafted Microsoft Excel document exploiting CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor, along with CVE-2018-0802. 

“The Agent Tesla core module collects sensitive information from the victim’s device. This information includes the saved credentials of some software, the victim’s keylogging information, and screenshots of the victim’s device.”

Furthermore, there has been the discovery of another phishing attack that employs ISO image file lures to deliver malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on compromised hosts.

In summary, this incident is part of a broader landscape of cyber threats, including the exploitation of older vulnerabilities, and the use of various malware strains in phishing campaigns, highlighting the ongoing challenges in the field of cybersecurity.

Impact

• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

MD5

• 056378877c488af7894c8f6559550708
• 5e0b8bf38ad0d8c91310c7d6d8d7ad64

SHA-256

• c2a0d899dd535d7cf0729b3307d054780985e0cebd21cca5614c1417225c86ee
• 7b83ca04240ca8769eb0f01a873674aa2891a4aa702d5cf632e7ecc284c38bc9

SHA-1

• 729a2e6ab9135657c7219435c92351ca1c8a4d93
• eb3a3fa719328e662d573774181cbd0bc1be1920

URL

• http://11.0.188.38:443/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multi-factor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, anti-malware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Maintain regular backups of critical data and systems.
• Develop an incident response plan and conduct regular testing.