LinkedIn phishing attacks initiated by Iranian hacker group APT34

With tensions between the United States and Iran reaching new levels of insanity, it is only natural that there will be an increase of espionage operations. When people imagine espionage, they likely conjure up Hollywood-influenced images of dead drops and spies hidden in plain sight. While this likely goes on, sometimes espionage is far more simplistic than that. This time it involves social engineering via Iran’s APT34. It is this point that researchers at FireEye are focusing in on with their newest post on the company’s blog. As the post reports, the cyberespionage threat actors APT34 have been masquerading as Cambridge University members on LinkedIn. In doing this, they hope to gain the trust of users foolish enough to “grow their network” with people they have never spoken with before. If this LinkedIn phishing attempt engenders a successful connection request, APT34 will then send malicious documents that, when downloaded, will execute a powerful payload. FireEye discusses the payloads in detail (more on this later), but the main takeaway is that there are three new malware families being utilized by APT34.

The most important details about the APT34 malware are explored in the following excerpt from the blog post:

TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality... VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel. VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites... FireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the malicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

The way FireEye researchers see it, in the LinkedIn phishing attacks, APT34 threat actors appear to be specifically focusing on individuals in either the energy sector or the governmental sector. This makes sense as a nation about to go to war will be able to use industrial energy infrastructure data of their enemies to coordinate attacks. As for governmental data, this should be rather obvious, but an inside look into the government you are at war with is vital reconnaissance that can be used in a variety of contexts.

Of course, the LinkedIn phishing attacks, like all phishing attacks, are easy to avoid. Social media is a natural invasion of your privacy and I personally hate it as a security professional. However, if you insist on using it, only connect with individuals you know. Never accept unsolicited messages or connection requests and also implement 2FA (preferably one-time-password authentication like FreeOTP) to add a layer of security. If nothing else, use SMS 2FA verification if the website you use does not support more intricate and secure forms of multifactor authentication.

Hopefully, war between the U.S. and Iran will not occur, but neither government seems to be interested in de-escalation right now. As this is the case, prepare for more nonsense like this from APT34 and other sources. Perhaps tensions will ease before it is too late.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Azure DevOps Wiki: Manage your project documentation and collaboration

Not being able to find project documentation is way too common. Use Azure DevOps’ built-in…

17 hours ago

Samsung Unpacked 2020: Galaxy S20, Galaxy Z Flip, and more

Samsung is again the first major company to roll out new smartphones in the new…

22 hours ago

PhotoSquared data leak exposes users’ photos, information

PhotoSquared has experienced a data leak, mainly because the popular U.S.-based photo app failed to…

1 day ago

Moving data from an Azure VM to Storage Account with AzCopy

Here’s an elegant and modern way to move data from your Azure virtual machine to…

2 days ago

A lot not to like: Analysis of recent Facebook data breach

The effects of the recent Facebook data breach are still being felt. In this new…

2 days ago

Exchange 2019: Building an environment from scratch

Are you finally ready to take the plunge into Exchange 2019? If you are building…

2 days ago