According to security researchers, an Iranian hacking group APT34 was recently observed sending malicious emails to a US-based firm with ties to the government.
Security researchers at Intezer recently reported a new hacking activity coming from Iran, where a known threat actor, APT34 was observed sending malicious emails to a US-based company. The company in question is called Westat, and it is known for having ties to the US local and state governments, as well as to the country’s federal agencies.
https://twitter.com/MysterMyke/status/1223504467712036864
The company’s employees, as well as its customers, were allegedly targeted with emails containing malicious attachments. The company itself is a professional services firm that offers research services to over 80 federal agencies, as well as local and state governments.
The attack was noticed in January 2020, after the researchers identified a malicious file named survey xls. The emails that the hackers have been sending are posing as an employee satisfaction survey in an attempt to trick the employees and customers of the firm into opening it. They contain Excel spreadsheets that look blank upon downloading and opening. However, after the victim enables macros on the spreadsheet, there is an actual survey that will appear.
Of course, the survey is only there as a front. In the background, the malicious code for macro is being executed. The code works by unpacking a .ZIP file, extracting and installing a .exe file, which is run only around five minutes after the infection of the system. It delivers a TONEDEAF malware, which then acts as a backdoor that can collect system data, keep track of uploads and downloads, and more.
Westat acknowledged the existence of the malware and has credited Intezer for its discovery. Researchers have, in turn, linked the campaign to APT34 from Iran, also known as Greenbug, or OilRig — a group whose specialty is cyber-espionage. The group has previously targeted numerous organizations in the Middle East, particularly government, financial, or energy entities.
According to researchers, the malware that the group is using is modified — evolved and more advanced in order to increase its stealthy approach. This TONEDEAF 2.0 does this by hiding its imported API calls
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.
Sponsored
Sponsored
