US Government Vendor, Westat, Targeted by Iranian Hackers

Security researchers at Intezer recently reported a new hacking activity coming from Iran, where a known threat actor, APT34 was observed sending malicious emails to a US-based company. The company in question is called Westat, and it is known for having ties to the US local and state governments, as well as to the country’s federal agencies.

Sweet Monkey Jesus! The Jefe and I were just discussion the supposed extinction of Visual Basic Macros on Monday …Iranian Hackers Target U.S. Gov. Vendor With Malware | Threatpost https://t.co/owskOaF8Z1

— Misha Vanamonde (@MysterMyke) February 1, 2020

The company’s employees, as well as its customers, were allegedly targeted with emails containing malicious attachments. The company itself is a professional services firm that offers research services to over 80 federal agencies, as well as local and state governments. The attack was noticed in January 2020, after the researchers identified a malicious file named survey xls. The emails that the hackers have been sending are posing as an employee satisfaction survey in an attempt to trick the employees and customers of the firm into opening it. They contain Excel spreadsheets that look blank upon downloading and opening. However, after the victim enables macros on the spreadsheet, there is an actual survey that will appear. Of course, the survey is only there as a front. In the background, the malicious code for macro is being executed. The code works by unpacking a .ZIP file, extracting and installing a .exe file, which is run only around five minutes after the infection of the system. It delivers a TONEDEAF malware, which then acts as a backdoor that can collect system data, keep track of uploads and downloads, and more. Westat acknowledged the existence of the malware and has credited Intezer for its discovery. Researchers have, in turn, linked the campaign to APT34 from Iran, also known as Greenbug, or OilRig — a group whose specialty is cyber-espionage. The group has previously targeted numerous organizations in the Middle East, particularly government, financial, or energy entities. According to researchers, the malware that the group is using is modified — evolved and more advanced in order to increase its stealthy approach. This TONEDEAF 2.0 does this by hiding its imported API calls