TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-024-001
Countries: IN, CN
Report Date: 20180124
Iranian APT Groups
APT34
APT34 is involved in long-term cyber espionage operations largely focused in the Middle East. This threat group has targeted a wide variety of industries, including financial, government, energy, chemical, and telecommunications. The group is thought to have been operational since at least 2014 and is likely linked to the Iranian government. The group is also known as “OilRig.”
In a recent blog, a cyber security firm explained; “We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.”[1] Researchers logged into VPNs from Iranian IP addresses during normal Iranian business hours. Their analysis exposed leaked Iranian addresses and phone numbers which point OilRig’s efforts to Iranian interests. Targets are often Iran’s adversaries.
APT34 relies on a mixture of commercial and open source tools to break into organizations and achieve their objectives. A recent OilRig phishing campaign used a custom PowerShell backdoor to exploit an outdated, embedded feature of a Microsoft Office feature known as, “Equation Editor.” APT34 uses malicious Excel macros and PowerShell-based exploits to move around victim networks. The group also has extensive social media operations, which deploy fake or compromised accounts to scope out high-profile targets and expertly use social engineering to get closer to particular organizations.
Some of the activities performed by this group are as follows:
Phishing Campaign against Banks in Middle East
In the first week of May 2016, a wave of emails containing malicious attachments were being sent to multiple banks in the Middle East region.[2] The threat actors appeared to be performing initial reconnaissance against potential targets. The attackers sent multiple emails containing macro-enabled XLS files to employees working in the Middle East banking sector. The themes of the messages used in the attacks were related to IT Infrastructure, such as a log titled, “Server Status Report” or a list of Cisco “Iron Port Appliance” details. In one case, the content of the emails appeared to be a legitimate email conversation between several employees and even contained contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached. The Excel file contained malicious macros that once executed, infected the target machine. The payload was used to collect important financial information from the system, including the currently active user, the hostname, network configuration data, user and group accounts, local and domain administrator accounts, running processes, and other data.
Malicious Microsoft Office RTF documents Exploiting CVE-2017-0199
The vulnerability was comprised of a remote code execution vulnerability that existed in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. This was used to deploy a PowerShell-based backdoor called POWRUNER and a downloader with domain generation algorithm functionality called BONDUPDATER based on strings found in the malware. This attack was used to target organizations in the Middle East.
CVE-2017-11882 - Microsoft Office Stack Memory Corruption Vulnerability
Mitre Corporation’s, Common Vulnerabilities and Exposures / CVE-2017-11882 describes several versions of Microsoft Office corruption. It allows a remote user to run arbitrary code in the context of the current user, as a result of improperly handling objects in memory. The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), which is a component of Microsoft Office that uses an insert to evaluate mathematical formulas.[3] APT34 will send a spear phishing email that has a malicious .rtf file acting as an attachment. Once executed the file exploits the vulnerability. It then downloads and executes a malicious file on the target’s computer and thus causes infection. Much remains unknown about APT34. However, its capabilities and interest in critical infrastructure targets make it noteworthy.
APT33
The Iranian group known as APT33 is believed to be behind a cyber-espionage campaign targeting aerospace, petrochemical and energy sector firms located in the United States, Saudi Arabia and South Korea. It has been targeting critical infrastructure, energy and military sectors since at least 2013 as part of a massive cyber-espionage operation to gather intelligence and steal trade secrets. Researchers have identified cyber attacks aimed by APT33 since at least May 2016. They found this group has successfully targeted aviation sector, both military and commercial, as well as organizations in the energy sector with a link to petrochemical. The victims include a U.S. firm in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean company involved in oil refining and petrochemicals.[4]
There are various malware families used by this group:
- DropShot – A specific dropper malware designed to deliver multiple payloads on the target machine.
- ShapeShift – The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration. Both DROPSHOT and SHAPESHIFT contain Farsi language artifacts, which indicate they may have been developed by a Farsi language speaker.
- TurnedUp – A backdoor, capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information from target’s computer.
- NanoCore - Publicly available remote access trojan (RAT) are available for purchase. It is a full-featured backdoor with a plugin framework.[5]
- NetWire – Is a malware that attempts to steal credentials from the local machine, from a variety of sources and supports other standard backdoor features. It is also publicly available.[6]
Spear Phishing Attacks
APT 33 sent hundreds of spear phishing emails last year from several domains. The domains masquerade as Saudi aviation companies and international organizations; which include Boeing, Alsalam Aircraft Company and Northrop Grumman Aviation Arabia. These spear phishing emails were sent to employees with jobs related to the aviation industry. The emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contain job descriptions and links to legitimate job postings on popular employment websites, which would be relevant to the targeted individuals.
APT33 uses a built-in phishing module within the publicly available, ALFA TEaM Shell (aka ALFASHELL - https://github.com/solevisible/ALFA-SHELL) to send hundreds of spear phishing emails to targeted individuals. APT33 registered multiple domains masquerading as Saudi aviation companies and Western organizations that together have partnerships to provide training, maintenance and support for Saudi’s military and commercial fleet. Based on observed targeting patterns, APT33 likely uses these domains in spear phishing emails to target victim organizations. The following domains masquerade as these organizations:
- servehttp[.]com
- ddns[.]net
- ddns[.]net
- sytes[.]net
- myftp[.]or
These are some of the domains used in the attacks to impersonate real companies. Wapack Labs urges caution if these domains appear. The above report provides an overview of the capabilities of APT33 and their significance within APT groups and actors.
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.
[1] https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
[2] https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
[3] https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-11882
[4] https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
Comments