The infamous Iranian threat actor, APT34 (aka Helix Kitten or OilRig), has been linked to a new phishing campaign which has deployed a new variant of the SideTwist backdoor. APT34 is known for its sophisticated attack techniques and its ability to target various sectors such as telecommunications, government, defense, oil, and financial services in the Middle East since at least 2014. Their attacks typically involve spear-phishing lures that lead to the deployment of various backdoors.
One notable characteristic of APT34 is their capability to create new and updated tools to evade detection and maintain control over compromised systems for extended periods. In this recent attack, they used a variant of a backdoor called SideTwist.
SideTwist was first associated with APT34 in April 2021 and is described as an implant with the ability to download/upload files and execute commands.
According to the researchers, the attack chain begins with a bait Microsoft Word document containing a malicious macro. This macro extracts and launches a Base64-encoded payload stored in the document. This payload is a variant of SideTwist compiled using GCC and establishes communication with a remote server to receive further commands.
Additionally, another security report revealed a phishing campaign that distributes a new variant of the Agent Tesla malware. This campaign utilizes a specially crafted Microsoft Excel document exploiting CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor, along with CVE-2018-0802.
“The Agent Tesla core module collects sensitive information from the victim’s device. This information includes the saved credentials of some software, the victim’s keylogging information, and screenshots of the victim’s device.”
Furthermore, there has been the discovery of another phishing attack that employs ISO image file lures to deliver malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on compromised hosts.
In summary, this incident is part of a broader landscape of cyber threats, including the exploitation of older vulnerabilities, and the use of various malware strains in phishing campaigns, highlighting the ongoing challenges in the field of cybersecurity.