Security News > 2022 > May > Iranian hackers exposed in a highly targeted espionage campaign
Threat analysts have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools.
The attack involved advanced anti-detection and anti-analysis techniques and had some characteristics that indicate lengthy and careful preparation.
Security researchers at Fortinet have gathered evidence and artifacts from the attack in May 2022 and compiled a technical report to highlight APT34's latest techniques and methods.
The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL. The macro also creates persistence for the malicious executable by adding a scheduled task that repeats every four hours.
The payload. The malicious executable is a.NET binary that checks program states and puts itself to sleep for eight hours after launching.
DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.
News URL
Related news
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)