A new phishing attack has been associated with the Iranian threat actor known as APT34. This attack leads to the deployment of a variant of a backdoor called SideTwist.

“APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” said NSFOCUS Security Labs in a recent report.

APT34, also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig, has a history of targeting telecommunications, government, defense, oil, and financial services sectors in the Middle East since 2014. They use spear-phishing techniques that result in the deployment of various backdoors.

APT34 has the ability to create new and updated tools to evade detection and maintain control on compromised systems for long periods of time.

SideTwist, which allows file download/upload and command execution, was first observed being used by APT34 in April 2021.

The attack chain identified by NSFOCUS begins with a malicious Microsoft Word document that contains a macro. The macro extracts and launches a Base64-encoded payload stored in the file.

The payload is a variant of SideTwist that is compiled using GCC and establishes communication with a remote server (11.0.188[.]38) to receive further commands.

Fortinet FortiGuard Labs recently discovered a phishing campaign that distributes a new variant of Agent Tesla. The campaign uses a specially crafted Microsoft Excel document that exploits CVE-2017-11882 and CVE-2018-0802, vulnerabilities in Microsoft Office.

UPCOMING WEBINARWay Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

“The Agent Tesla core module collects sensitive information from the victim’s device,” explained security researcher Xiaopeng Zhang. “This information includes the saved credentials of some software, the victim’s keylogging information, and screenshots.”

Agent Tesla Variant

According to cybersecurity firm Qualys, CVE-2017-11882 remains a frequently exploited vulnerability, with “467 malware, 53 threat actors, and 14 ransomware” utilizing it as recently as August 31, 2023.

Another phishing attack has been discovered that uses ISO image file lures to deliver malware strains such as Agent Tesla, LimeRAT, and Remcos RAT to infected systems.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles