Alert Advisory: Supply Chain Attack by Iran’s APT34 Targets the UAE

APT34 (Oilrig)

Attacks attributed to this group often employ social engineering to target human weaknesses rather than software flaws, however on occasion, this group has leveraged recently patched vulnerabilities in the attack delivery phase.

OilRig has demonstrated maturity in other areas of its business, therefore the lack of software vulnerability exploitation does not automatically imply a lack of competence. These stages of development include:

• Organized evasion testing using the development of their tools.
• Data exfiltration and command and control (C2) using specialized DNS Tunneling protocols. -Ad-hoc web shells and backdoors for permanent server access.

For lateral movement, OilRig uses stolen account credentials.

Malicious programs used by APT34

• Twoface – A web shell, which is used to harvest credentials
• Powruner – A backdoor known to be used by APT34.
• RGDoor – An Internet Information Services backdoor that is created using C++.
• Helminth – A Trojan that is developed to target the Windows platform.
• OopsIE – A Trojan deployed and known to be used by APT34.
• Karkoff – A malware designed to execute code remotely on compromised hosts.
• ISMAgent – A backdoor that has a sophisticated architecture and contains anti-analysis techniques.
• Poison Frog – A backdoor used along with the BondUpdater tool.
• PhpSpy – A backdoor used for an initial foothold in the targeted network.
• Neptun – A backdoor installed on Microsoft Exchange servers as a service.
• Pickpocket – It is a browser credential-theft tool.
• ValueVault – It is used to extract and view the credentials stored in the Windows Vault.
• LongWatch – A Pickpocket variant, and browser credential-theft tool.
• Marlin – A backdoor used by APT34.
• Saitama – A backdoor used by APT34.

Supply Chain Attack on UAE

According to Kaspersky’s lead security researcher Maher Yamout, the attackers lured victims using a fake IT job application form. When the victim downloaded the infected document to supposedly apply for the offered IT job, information-stealing malware was launched. APT34 (also known as OilRig) developed a phishing website to pose as an IT firm in the UAE and submitted the recruitment form to a target IT company.

According to Yamout, the malware gathered private data and login credentials that gave APT34 access to the networks of the IT business clients. He goes on to say that the attacker then deliberately sought out government clients, leveraging the email system of the victim IT organization for command-and-control (C2) communication and data exfiltration. Due to its limited downstream visibility, Kaspersky was unable to confirm if the government attacks were effective, but according to Yamout, “we assess to medium-high confidence” that they were given the company’s usual success rate.

The malware samples used in the UAE campaign, according to Kaspersky’s investigation, were identical to those used in a prior APT34 supply chain breach in Jordan that employed comparable tactics, methods, and procedures (TTPs), including targeting governmental institutions. In another case, according to Yamout, he believed LinkedIn was being utilized to distribute a job form while pretending to be a hiring manager for an IT business.

IOCs

A0E6933F4E0497269620F44A083B2ED4
9267D057C065EA7448ACA1511C6F29C7
B2D13A336A3EB7BD27612BE7D4E334DF
4A7290A279E6F2329EDD0615178A11FF
841CE6475F271F86D0B5188E4F8BC6DB
52CA9A7424B3CC34099AD218623A0979
BBDE33F5709CB1452AB941C08ACC775E
247B2A9FCBA6E9EC29ED818948939702
C87B0B711F60132235D7440ADD0360B0
E6AC6F18256C4DDE5BF06A9191562F82
3C63BFF9EC0A340E0727E5683466F435
EEB0FF0D8841C2EBE643FE328B6D9EF5
FB464C365B94B03826E67EABE4BF9165
635ED85BFCAAB7208A8B5C730D3D0A8C
13B338C47C52DE3ED0B68E1CB7876AD2
DBFEA6154D4F9D7209C1875B2D5D70D5
63D66D99E46FB93676A4F475A65566D8
D85818E82A6E64CA185EDFDDBA2D1B76
C9F16F0BE8C77F0170B9B6CE876ED7FB
EAF3448808481FB1FDBB675BC5EA24DE
42449DD79EA7D2B5B6482B6F0D493498
A3FCB4D23C3153DD42AC124B112F1BAE
EE1C482C41738AAA5964730DCBAB5DFF
E516C3A3247AF2F2323291A670086A8F
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
Fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
5ed7ebc339af6ca6a5d1b9b45db6b3ae00232d9ccd80d5fcadf7680320bd4e6b
827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

mumbai-m.site
dns-update.club
94.23.172.164
proxycheker.pro
46.105.221.247
mumbai-m.site
hpserver.online
148.251.55.110
185.15.247.147
145.239.33.100
82.102.14.219
hpserver.online
anyportals.com
185.56.91.61
46.165.246.196
185.236.76.80
185.236.77.17
185.181.8.252
185.191.228.103
70.36.107.34
109.236.85.129
185.15.247.140
185.181.8.158
178.32.127.230
146.112.61.108
23.106.215.76
185.20.187.8
95.168.176.172
173.234.153.194
173.234.153.201
172.241.140.238
23.19.226.69
185.161.211.86
185.174.100.56
194.9.177.15
185.140.249.63
81.17.56.249
213.227.140.32
46.105.251.42
185.140.249.157
198.143.182.22
213.202.217.9
158.69.57.62
168.187.92.92
38.132.124.153
176.9.164.215
88.99.246.174
190.2.142.59
103.102.44.181
217.182.217.122
46.4.69.52
185.227.108.35
172.81.134.226
103.102.45.14
95.168.176.173
142.234.200.99
194.9.179.23
194.9.178.10
185.174.102.14
185.236.76.35
185.236.77.75
185.161.209.157
185.236.76.59
185.236.78.217
23.227.201.6
185.236.78.63
uber-asia.com
asiaworldremit.com
joexpediagroup.com