Feb 09, 2022Ravie Lakshmanan

A sophisticated persistent risk (APT) group with ties to Iran has refreshed its malware toolset to incorporate a brand new backdoor dubbed Marlin as a part of a long-running espionage marketing campaign that began in April 2018.

Slovak cybersecurity firm ESET attributed the assaults — codenamed “Out to Sea” — to a risk actor referred to as OilRig (aka APT34), whereas additionally conclusively connecting its actions to a second Iranian group tracked underneath the title Lyceum (Hexane aka SiameseKitten).

“Victims of the marketing campaign embody diplomatic organizations, expertise corporations, and medical organizations in Israel, Tunisia, and the United Arab Emirates,” ESET famous in its T3 2021 Menace Report shared with The Hacker Information.

Lively since no less than 2014, the hacking group is understood to strike Center Jap governments and a wide range of enterprise verticals, together with chemical, power, monetary, and telecommunications. In April 2021, the actor focused a Lebanese entity with an implant referred to as SideTwist, whereas campaigns beforehand attributed to Lyceum have singled out IT corporations in Israel, Morocco, Tunisia, and Saudi Arabia.

The Lyceum an infection chains are additionally notable for the truth that they’ve developed to drop a number of backdoors for the reason that marketing campaign got here to gentle in 2018 — starting with DanBot and transitioning to Shark and Milan in 2021 — with assaults detected in August 2021 leveraging a brand new knowledge assortment malware referred to as Marlin.

The modifications do not finish there. In what’s a major departure from conventional OilRig TTPs, which have concerned using DNS and HTTPS for command-and-control (C&C) communications, Marlin makes use of Microsoft’s OneDrive API for its C2 operations.

ESET, noting that preliminary entry to the community was achieved via spear-phishing in addition to distant entry and administration software program like ITbrain and TeamViewer, cited similarities in instruments and techniques between OilRig’s backdoors and that of Lyceum as “too quite a few and particular.”

“The ToneDeaf backdoor primarily communicated with its C&C over HTTP/S however included a secondary technique, DNS tunneling, which doesn’t perform correctly,” the researchers mentioned. “Shark has comparable signs, the place its major communication technique makes use of DNS however has a non-functional HTTP/S secondary possibility.”

ToneDeaf, which helps amassing system info, importing and downloading of information, and arbitrary shell command execution, is a malware household that was deployed by the APT34 actor focusing on a broad vary of industries working within the Center East in July 2019.

Moreover, the findings additionally identified the overlapping use of DNS as a C&C communication channel, whereas additionally using HTTP/S as a secondary communication technique and using a number of folders in a backdoor’s working listing for importing and downloading information from the C&C server.