An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems.
Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology.
APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East.
The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages. Although the latest campaign bears some of the same hallmarks, the exact mode of delivery remains unclear as yet.
The Word document analyzed by Check Point — which was uploaded to VirusTotal from Lebanon on January 10 — claims to offer information about different positions at a U.S.-based consulting firm named Ntiva IT, only to trigger the infection chain upon activating the embedded malicious macros, ultimately resulting in the deployment of a backdoor called “SideTwist.”
Aside from gathering basic information about the victim’s machine, the backdoor establishes connections with a remote server to await additional commands that allow it to download files from the server, upload arbitrary files, and execute shell commands, the results of which are posted back to the server.
Check Point notes that the use of new backdoor points to the group’s ongoing efforts to overhaul and update their payload arsenal in the wake of a 2019 leak of its hacking tools, which also doxxed several officers of the Iranian Ministry of Intelligence who were involved with APT34 operations.
“Iran backed APT34 shows no sign of slowing down, further pushing its political agenda in the middle-east, with an ongoing focus on Lebanon — using offensive cyber operations,” the researchers said. “While maintaining its modus operandi and reusing old techniques, the group continues to create new and updated tools to minimize the possible detection of their tools by security vendors.”