The cybercrime group APT34, which is associated with the Iranian government, continues its espionage campaigns, using LinkedIn for deliver a backdoor.According to the report of FireEye experts, criminals appear to be a researcher from Cambridge and ask the victims to join their group. A malicious xls file is sent along with these users.
“In late June, FireEye researchers discovered the APT34 fishing campaign. We have identified three main differences of this cyber operation. First, intruders seem to be Cambridge experts to gain user confidence. Secondly, LinkedIn is used to deliver malicious documents. Third, APT34 has added three new malicious programs to its arsenal”, — the FireEye report said.
The attacks also used the Pickpocket tool, designed to steal credentials from browsers.
The main objectives of APT34 were from the oil, energy and gas fields, and the criminals also attacked state organizations.
The malicious document ERFT-Details.xls was used as a dropper, and the lure was the opportunity to get a job on the Cambridge research team.
In the final phase, the Tonedeaf backdoor is installed on the victim’s computer, which communicates with the C&C command server using HTTP GET and POST requests. The malware supports several commands that allow collecting system information, download and download files, and execute shell commands.
Recall that the APT34 group is also known as OilRig, HelixKitten and Greenbug.
“With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran’s economic and national security goals. We recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security”, — conclude FireEye specialists.