Alert Advisory: Supply Chain Attack by Iran’s APT34 Targets the UAE

An Iranian threat group called OilRig typically targets businesses in the Middle East involved in various industries. Still, it has also sometimes attacked businesses outside of the Middle East. Additionally, it appears that OilRig engages in supply chain attacks, whereby the threat actor uses the trust among entities to attack its main targets.

APT34 (Oilrig)

Attacks attributed to this group often employ social engineering to target human weaknesses rather than software flaws, however on occasion, this group has leveraged recently patched vulnerabilities in the attack delivery phase. OilRig has demonstrated maturity in other areas of its business, therefore the lack of software vulnerability exploitation does not automatically imply a lack of competence. These stages of development include:

• Organized evasion testing using the development of their tools.
• Data exfiltration and command and control (C2) using specialized DNS Tunneling protocols. -Ad-hoc web shells and backdoors for permanent server access.

For lateral movement, OilRig uses stolen account credentials.

Malicious programs used by APT34

• Twoface – A web shell, which is used to harvest credentials
• Powruner – A backdoor known to be used by APT34.
• RGDoor – An Internet Information Services backdoor that is created using C++.
• Helminth – A Trojan that is developed to target the Windows platform.
• OopsIE – A Trojan deployed and known to be used by APT34.
• Karkoff – A malware designed to execute code remotely on compromised hosts.
• ISMAgent – A backdoor that has a sophisticated architecture and contains anti-analysis techniques.
• Poison Frog – A backdoor used along with the BondUpdater tool.
• PhpSpy – A backdoor used for an initial foothold in the targeted network.
• Neptun – A backdoor installed on Microsoft Exchange servers as a service.
• Pickpocket – It is a browser credential-theft tool.
• ValueVault – It is used to extract and view the credentials stored in the Windows Vault.
• LongWatch – A Pickpocket variant, and browser credential-theft tool.
• Marlin – A backdoor used by APT34.
• Saitama – A backdoor used by APT34.

Supply Chain Attack on UAE

According to Kaspersky’s lead security researcher Maher Yamout, the attackers lured victims using a fake IT job application form. When the victim downloaded the infected document to supposedly apply for the offered IT job, information-stealing malware was launched. APT34 (also known as OilRig) developed a phishing website to pose as an IT firm in the UAE and submitted the recruitment form to a target IT company. According to Yamout, the malware gathered private data and login credentials that gave APT34 access to the networks of the IT business clients. He goes on to say that the attacker then deliberately sought out government clients, leveraging the email system of the victim IT organization for command-and-control (C2) communication and data exfiltration. Due to its limited downstream visibility, Kaspersky was unable to confirm if the government attacks were effective, but according to Yamout, “we assess to medium-high confidence” that they were given the company’s usual success rate. The malware samples used in the UAE campaign, according to Kaspersky’s investigation, were identical to those used in a prior APT34 supply chain breach in Jordan that employed comparable tactics, methods, and procedures (TTPs), including targeting governmental institutions. In another case, according to Yamout, he believed LinkedIn was being utilized to distribute a job form while pretending to be a hiring manager for an IT business.

IOCs

A0E6933F4E0497269620F44A083B2ED4 9267D057C065EA7448ACA1511C6F29C7 B2D13A336A3EB7BD27612BE7D4E334DF 4A7290A279E6F2329EDD0615178A11FF 841CE6475F271F86D0B5188E4F8BC6DB 52CA9A7424B3CC34099AD218623A0979 BBDE33F5709CB1452AB941C08ACC775E 247B2A9FCBA6E9EC29ED818948939702 C87B0B711F60132235D7440ADD0360B0 E6AC6F18256C4DDE5BF06A9191562F82 3C63BFF9EC0A340E0727E5683466F435 EEB0FF0D8841C2EBE643FE328B6D9EF5 FB464C365B94B03826E67EABE4BF9165 635ED85BFCAAB7208A8B5C730D3D0A8C 13B338C47C52DE3ED0B68E1CB7876AD2 DBFEA6154D4F9D7209C1875B2D5D70D5 63D66D99E46FB93676A4F475A65566D8 D85818E82A6E64CA185EDFDDBA2D1B76 C9F16F0BE8C77F0170B9B6CE876ED7FB EAF3448808481FB1FDBB675BC5EA24DE 42449DD79EA7D2B5B6482B6F0D493498 A3FCB4D23C3153DD42AC124B112F1BAE EE1C482C41738AAA5964730DCBAB5DFF E516C3A3247AF2F2323291A670086A8F 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459 07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741 dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62 c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e Fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392 5ed7ebc339af6ca6a5d1b9b45db6b3ae00232d9ccd80d5fcadf7680320bd4e6b 827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d 26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b mumbai-m.site dns-update.club 94.23.172.164 proxycheker.pro 46.105.221.247 mumbai-m.site hpserver.online 148.251.55.110 185.15.247.147 145.239.33.100 82.102.14.219 hpserver.online anyportals.com 185.56.91.61 46.165.246.196 185.236.76.80 185.236.77.17 185.181.8.252 185.191.228.103 70.36.107.34 109.236.85.129 185.15.247.140 185.181.8.158 178.32.127.230 146.112.61.108 23.106.215.76 185.20.187.8 95.168.176.172 173.234.153.194 173.234.153.201 172.241.140.238 23.19.226.69 185.161.211.86 185.174.100.56 194.9.177.15 185.140.249.63 81.17.56.249 213.227.140.32 46.105.251.42 185.140.249.157 198.143.182.22 213.202.217.9 158.69.57.62 168.187.92.92 38.132.124.153 176.9.164.215 88.99.246.174 190.2.142.59 103.102.44.181 217.182.217.122 46.4.69.52 185.227.108.35 172.81.134.226 103.102.45.14 95.168.176.173 142.234.200.99 194.9.179.23 194.9.178.10 185.174.102.14 185.236.76.35 185.236.77.75 185.161.209.157 185.236.76.59 185.236.78.217 23.227.201.6 185.236.78.63 uber-asia.com asiaworldremit.com joexpediagroup.com