An Advanced Persistent Threat (APT) group with ties to Iran has refreshed its toolkit malware his to include a back door newly named Marlin was part of a lengthy espionage campaign that began in April 2018.
Slovak cybersecurity firm ESET attributed the attacks – codenamed “Out to Sea” – to a threat actor named OilRig (aka APT34), and linked the activities of with a second Iranian group followed under the name Lyceum (Hexane aka SiameseKitten).
“Victims of the campaign include diplomatic organisations, technology companies and medical institutions in Israel, Tunisia and the United Arab Emirates,” ESET notes in its distributed T3 2021 Threat Report. Share with The Hacker News.
Active at least since 2014, the attack group is known to attack Middle Eastern governments and various business sectors, including chemicals, energy, finance, and telecommunications. In April 2021, the actor targeted a Lebanese entity with an implant called SideTwist, while campaigns previously attributed to Lyceum have singled out IT companies in Israel, Morocco , Tunisia and Saudi Arabia.
The Lyceum infection chains are also notable because they have grown to reduce many backdoors since the campaign came to light in 2018 – starting with DanBot and moving to Shark and Milan in 2021 – with calls The attack discovered in August 2021 takes advantage of a new data collection malware called Marlin.
The changes don’t end there. In a significant difference from traditional OilRig TTPs, which involve the use of DNS and HTTPS for command and control (C&C) communication, Marlin uses the OneDrive API of Microsoft for its C2 operations.
ESET, noting that initial access to the network was accomplished using phishing methods as well as remote access and administration software such as ITbrain and TeamViewer, cited similarities in tools and strategies. The art between OilRig’s and Lyceum’s backdoors is “too much and too specific. “
“Backdoor ToneDeaf primarily communicates with its C&C over HTTP/S but includes a secondary method, DNS tunneling, that does not function properly,” the researchers said. “Shark also has similar symptoms, where its main method of communication uses DNS but has a non-functional HTTP/S secondary option.”
ToneDeaf, which supports system information gathering, file upload and download, and arbitrary shell command execution, is a family of malware deployed by the APT34 agent targeting a wide range of operating industries. in the Middle East in July 2019.
In addition, the findings also indicate the overlapping use of DNS as a C&C communication channel, the use of HTTP/S as the secondary communication method, and the use of multiple directories in the backdoor’s working directory to upload and download files from the C&C server.