Another tool of the Iranian government cyber espionage group APT34 leaked to the Internet

Tool in open access on the Internet turned out to be an instrument for hacking Microsoft Exchange user accounts and allegedly was used by the cybercriminal grouping OilRig (also known as APT34 and HelixKitten).

In mid-March 2019, a someone known as Lab Dookhtegan published in Telegram tools of the Iranian cyber espionage group APT34, as well as information about the victims of hackers and employees of the Iranian Ministry of Information and National Security, who are allegedly associated with the operations of the group.

Lab Dookhtegan revealed source codes of six tools, whose authenticity was confirmed by leading information security specialists, including those from Chronicle, cybersecurity division of Alphabet Holding.

Zdnet reference:

While initially it was believed that Lab Dookhtegan was a former insider, the new consensus is that this is the online persona of a foreign intelligence agency who is trying to expose Iranian hacking efforts in attempts to damage the country’s cyber-espionage operations, as long as its political connections with neighbors and allies.

Now Lab Dookhtegan in the same Telegram channel published another tool belonging to APT34, the utility called Jason.

A tool named Jason is not detected by antivirus solutions on VirusTotal.

Jason appeared on the Telegram channel on Monday, June 3. According to the owner of the channel, the Iranian government uses this tool tool for “hacking email and stealing information.

At its core, Jason is a for brute-force tool as program selects passwords for the account until it finds the one that matches. Jason selects passwords from a sample list attached to it and four text files with numeric patterns.

Omri Segev Moyal
Omri Segev Moyal

“The tool seems to be a bruteforce attacker against online exchange services”, – said Omri Segev Moyal, vice president of Minerva Labs, who analyzed the Jason program.

According to VirusTotal, the tool was compiled in 2015, so it has been used in APT34 operations for at least four years. At the time of the publication of Jason in open access, it was not detected by any protective solution. It is also interesting that if the previous six APT34 tools, published in the spring of this year, were previously detected security experts, none of experts have “identified” Jason.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply