The group was posing as a researcher from Cambridge and was found to have added three new malware families to its spy arsenal.
According to FireEye, the adversaries masqueraded as a Cambridge University lecturer, including setting up a LinkedIn page, in order to gain victims’ trust. From there the attackers asked their “friends” to open malicious documents.
APT34, a.k.a. OilRig or Greenbug specializes in cyber-espionage activity and is known for attacks targeting a variety of organizations operating in the Middle East, including financial, energy and government entities.
“They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs,” FireEye noted in a writeup on the campaign on Thursday. In the phishing effort, the non-public tools included three new malware families and featured a reappearance of Pickpocket, which is a malware exclusively observed in use by APT34, according to the firm.
The phishing campaign was going after energy companies, government workers and utilities, the firm said. It discovered it after seeing an unknown malicious executable in its telemetry.
Further investigation showed that the malware that was dropped by a file named ERFT-Details.xls, sent via a LinkedIn message from “Research Staff at the University of Cambridge.” The social conversation, according to a target interviewed by FireEye, began with the solicitation of resumes for potential job opportunities.
“This is not the first time we’ve seen APT34 utilize academia and/or job offer conversations in their various campaigns,” according to the analysis. “These conversations often take place on social media platforms, which can be an effective delivery mechanism if a targeted organization is focusing heavily on email defenses to prevent intrusions.”
The fresh malware variant turned out to be a backdoor dubbed Tonedeaf, which communicates with a single command-and-control (C2) server using HTTP GET and POST requests. It has a variety of functions, including collecting system information, uploading and downloading files, and arbitrary shell command execution, FireEye said.
After identifying the command-and-control (C2) domain for the code, FireEye was able to uncover two additional malware families hosted there: ValueVault and Longwatch. The Pickpocket variant, a browser credential-theft tool, was also found there.
According to FireEye, ValueVault is a Golang-compiled version of the Windows Vault Password Dumper browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel. Longwatch meanwhile is a keylogger that outputs keystrokes to a log.txt file in the Window’s temp folder.
“ValueVault maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault,” said the researchers. “Additionally, ValueVault will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites.”
The firm noted that threat actors are often reshaping their strategies to evade detection mechanisms, with new malware sets and social-engineering approaches. APT34’s activity is also ramping up, FireEye said – a side effect of the turmoil in the Middle East concerning Iran.
“With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns,” the firm noted. “Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision-makers and key organizations that may have information that furthers Iran’s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.”