New APT34 backdoor malware infection campaign targets Middle Eastern organizations for cyberespionage

Trend Micro researchers provided an analysis of a new APT34 malware infection campaign that targets organizations in the Middle East for cyberespionage last December. Using the backdoor malware, the campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers. The APT34 malware has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. 

“On December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) that was dropped and executed on multiple machines,” Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy wrote in their latest blog. “Our investigation led us to link this attack to advanced persistent threat (APT) group APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.” 

Moreover, the researchers added that after analyzing the backdoor variant deployed, we found the malware capable of new exfiltration techniques — the abuse of compromised mailbox accounts to send stolen data from the internal mailboxes to external mail accounts controlled by the attackers.

While not new as a technique, this is the first instance that APT34 used this for their campaign deployment, the researchers added. “Following this analysis, it is highly likely that this campaign’s routine is only a small part of a bigger chain of deployments. Users and organizations are strongly advised to reinforce their current security measures and to be vigilant of the possible vectors abused for compromise.”

Documented as a group primarily involved in cyberespionage, APT34 has been previously recorded targeting government offices and shows no signs of stopping with their intrusions, Trend Micro said. “Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection of their arsenal: Shifting to new data exfiltration techniques — from the heavy use of DNS-based command and control (C&C) communication to combining it with the legitimate simple mail transfer protocol (SMTP) mail traffic — to bypass any security policies enforced on the network perimeters,” it added.

From three previously documented attacks, Trend Micro “observed that while the group uses simple malware families, these deployments show the group’s flexibility to write new malware based on researched customer environments and levels of access. This level of skill can make attribution for security researchers and reverse engineers more difficult in terms of tracking and monitoring because patterns, behaviors, and tools can be completely different for every compromise.”

Also known as OilRig, APT34 malware uses the main backdoor function (detected by Trend Micro as Backdoor.MSIL.REDCAP.A) that receives the valid domain credentials as an argument and uses it to log on to the Exchange Server and uses it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using valid accounts with stolen passwords.

MITRE lists OilRig as a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted various financial, government, energy, chemical, and telecommunications sectors. The group also carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, the use of Iranian infrastructure, and targeting that aligns with nation-state interests.

First, the [dot]Net backdoor parses a config file dropped in the main root path where it is executing from and checks for a file called ‘ngb’ to extract three parameters. These include Server – the specific Exchange mail server for the targeted government entity where the data is leaked through; Target – the email addresses where the malicious actors receive the exfiltrated data; and Domain – the internal active directory (AD) domain name related to the targeted government entity in the Middle East. However, the malware also supports the modification of old passwords to new ones, which are sent through the registered DLL password filter.

The researchers pointed out that the malware proceeds to initialize an ExchangeService object in the first step and supplies the stolen credentials as WebCredentials to interface with the victim mail server in the second step. “Using these Exchange Web Service (EWS) bindings, the malicious actor can send mails to external recipients on behalf of any stolen user and initialize a new instance of the WebCredentials class with the username and password for the account to authenticate,” they added.

The malware then iterates through the files found under the target path. For each file found, it adds its path to a list, which will be exfiltrated later in the last step, Trend Micro researchers said. The final stage is to iterate over the collected list of file paths. For each path, it prepares an EmailMessage object with the subject ‘Exchange Default Message,’ and a mail body content of ‘Exchange Server is testing services.’ The iteration attaches the whole file to this EmailMessage object and sends it using the previously initialised EWS form, which already authenticated the user account.

Trend Micro concluded that at first glance, security teams can mistakenly tag the sample as safe or as a benign activity given the validity of the domains and mail credentials. “It will take more experienced analysts to see that the domains abused are part of a bigger active directory domain ‘forest,’ which shares a trust relationship to allow different government ministries or agencies to communicate. Considering we found a compromised account from one entity inside a sample sourced from a different agency indicates APT34 now has a deep foothold in the government domain forest,” the researchers added.

Following the stages executed, APT34’s repeated use of the Saitama backdoor technique in the first stage indicates confidence that even the dated malware’s technique will continue to work and initiate compromise, they said. 

“The next stages for exfiltrating data, however, are considerably new and are considered exploratory for the group,” according to the researchers. “Despite the routine’s simplicity, the novelty of the second and last stages also indicates that this entire routine can just be a small part of a bigger campaign targeting governments. We continue tracking and monitoring the abuse of this threat to determine the depth and breadth of this compromise.”

Last July, AttackIQ released two new attack graphs that emulate different aspects of OilRig’s campaigns carried out by the adversary. The graphs would help customers validate their security controls and defenses to help improve cybersecurity readiness. Based on the research, OilRig has targeted various sectors, including government, financial services, energy, resources and utilities, manufacturing, telecommunications, and technology.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.