“APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” said NSFOCUS Security Labs in a recent report.
APT34, also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig, has a history of targeting telecommunications, government, defense, oil, and financial services sectors in the Middle East since 2014. They use spear-phishing techniques that result in the deployment of various backdoors.
APT34 has the ability to create new and updated tools to evade detection and maintain control on compromised systems for long periods of time.
SideTwist, which allows file download/upload and command execution, was first observed being used by APT34 in April 2021.
The attack chain identified by NSFOCUS begins with a malicious Microsoft Word document that contains a macro. The macro extracts and launches a Base64-encoded payload stored in the file.
The payload is a variant of SideTwist that is compiled using GCC and establishes communication with a remote server (11.0.188[.]38) to receive further commands.
Fortinet FortiGuard Labs recently discovered a phishing campaign that distributes a new variant of Agent Tesla. The campaign uses a specially crafted Microsoft Excel document that exploits CVE-2017-11882 and CVE-2018-0802, vulnerabilities in Microsoft Office.
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
Supercharge Your Skills
“The Agent Tesla core module collects sensitive information from the victim’s device,” explained security researcher Xiaopeng Zhang. “This information includes the saved credentials of some software, the victim’s keylogging information, and screenshots.”
According to cybersecurity firm Qualys, CVE-2017-11882 remains a frequently exploited vulnerability, with “467 malware, 53 threat actors, and 14 ransomware” utilizing it as recently as August 31, 2023.
Another phishing attack has been discovered that uses ISO image file lures to deliver malware strains such as Agent Tesla, LimeRAT, and Remcos RAT to infected systems.
