With tensions between the United States and Iran reaching new levels of insanity, it is only natural that there will be an increase of espionage operations. When people imagine espionage, they likely conjure up Hollywood-influenced images of dead drops and spies hidden in plain sight. While this likely goes on, sometimes espionage is far more simplistic than that. This time it involves social engineering via Iran’s APT34. It is this point that researchers at FireEye are focusing in on with their newest post on the company’s blog. As the post reports, the cyberespionage threat actors APT34 have been masquerading as Cambridge University members on LinkedIn. In doing this, they hope to gain the trust of users foolish enough to “grow their network” with people they have never spoken with before. If this LinkedIn phishing attempt engenders a successful connection request, APT34 will then send malicious documents that, when downloaded, will execute a powerful payload. FireEye discusses the payloads in detail (more on this later), but the main takeaway is that there are three new malware families being utilized by APT34.
The most important details about the APT34 malware are explored in the following excerpt from the blog post:
TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality… VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel. VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites… FireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the malicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.
The way FireEye researchers see it, in the LinkedIn phishing attacks, APT34 threat actors appear to be specifically focusing on individuals in either the energy sector or the governmental sector. This makes sense as a nation about to go to war will be able to use industrial energy infrastructure data of their enemies to coordinate attacks. As for governmental data, this should be rather obvious, but an inside look into the government you are at war with is vital reconnaissance that can be used in a variety of contexts.
Of course, the LinkedIn phishing attacks, like all phishing attacks, are easy to avoid. Social media is a natural invasion of your privacy and I personally hate it as a security professional. However, if you insist on using it, only connect with individuals you know. Never accept unsolicited messages or connection requests and also implement 2FA (preferably one-time-password authentication like FreeOTP) to add a layer of security. If nothing else, use SMS 2FA verification if the website you use does not support more intricate and secure forms of multifactor authentication.
Hopefully, war between the U.S. and Iran will not occur, but neither government seems to be interested in de-escalation right now. As this is the case, prepare for more nonsense like this from APT34 and other sources. Perhaps tensions will ease before it is too late.
Featured image: Shutterstock