Iranian hackers exposed in a highly targeted espionage campaign


Threat analysts have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools.

The attack involved advanced anti-detection and anti-analysis techniques and had some characteristics that indicate lengthy and careful preparation.

Security researchers at Fortinet have gathered evidence and artifacts from the attack in May 2022 and compiled a technical report to highlight APT34’s latest techniques and methods.

Targeting diplomats

The spear-phishing email seen by Fortinet targeted a Jordanian diplomat, pretending to be from a colleague in the government, with the email address spoofed accordingly.

The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL.

The macro also creates persistence for the malicious executable (update.exe) by adding a scheduled task that repeats every four hours.

“Since Excel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines,” comment Fortinet’s analysts.

Another unusual finding concerns two anti-analysis mechanisms implemented in the macro: the toggling of sheet visibility in the spreadsheet and the other a check for the existence of a mouse, which may not be present on malware analysis sandbox services.

The payload

The malicious executable is a .NET binary that checks program states and puts itself to sleep for eight hours after launching. The analysts believe the hackers probably set this delay on the assumption that the diplomat would open the email in the morning and leave after eight hours so that the computer would be unattended.

When active, the malware communicates with C2 subdomains using a domain generation algorithm (DGA) tool. DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.

Domain generation algorithm system
Domain generation algorithm system (Fortinet)

It then sets up a DNS tunnel to communicate with the provided IP address. This is a rarely seen technique that helps threat actors encrypt the data exchanged in the context of…