Image source: Shutterstock
The threat actor is using email, DNS tunneling and an updated IIS backdoor to communicate with “Veaty” and “Spearal”, two new malware tools in its portfolio.
Here’s what’s noteworthy about the campaign:
An attacker thought to be Iran’s APT34 group (aka Oil Rig, Greenbug and Helix Kitten) has launched a new campaign targeting government entities in Iraq. The attacks have been going on for at least the past several months. Researchers at Check Point Research (CPR) spotted the activity recently and released a report on it this week. CPR did not offer any information on potential motives for the attacks. But APT34’s past attacks have focused on collecting information of strategic economic and geopolitical importance to Teheran.
Multiple C2 options
The attacker has employed multiple command and control (C2) mechanisms to communicate with malware on compromised systems. One of them involves the threat actor using compromised email accounts at the victim organization to exchange C2 communication with an attacker-controlled server. This is not the first time that APT34 has employed the tactic. See this Palo Alto Networks report for a description on how APT34/OilRig combined steganography with email based C2 in a 2020 attack on a Middle Eastern telecommunications organization.
Another C2 tactic APT34 is using in its latest attacks is via base32-encoded commands passed through DNS tunneling. A third involves sending C2 communication through an updated version of a passive IIS backdoor that APT34 has used in previous attacks. Security experts consider all three approaches as providing a pretty effective covert channel for C2 communication.
New malware tools
The threat actor is using two new malware tools dubbed “Veaty” and “Spearal” in its campaign.
Veaty is a .Net backdoor that can execute remote commands and can upload and download files to and from compromised systems. The malware is using compromised email accounts at Iraq’s gov-iq.net domain for C2 purposes and is capable of disabling SSL/TLS certificates to enable that communications without detection. Veaty has considerable overlaps with Karkoff, a remote access trojan that Cisco Talos first reported in April 2019. Both Veaty and Karkoff leverage email tunneling identical fashion, according to CPR.
Spereal is a .Net backdoor as well, but unlike Veaty, it uses DNS tunneling for C2 communication. The malware is similar to Saitama, another backdoor that APT34 used in an attack on the Jordanian government in 2022. Like Veaty, Spearal can also upload and download files to and from compromised system and execute remote commands
Double extension files for initial access
In the attacks that CPR observed APT34 used malicious files with double extensions to mislead potential victims into interacting with them. The use of double extensions is a common technique used in malware or phishing attacks to disguise a malicious executable file as a harmless or familiar file type. Examples of the file names that CPR observed the attacker using include Avamer.pdf.exe, Protocol.pdf.exe, IraqiDoc.docx.rar.
Who should pay attention
APT34 is an advanced persistent threat group that has been in operation since at least 2014. It has a long history of targeting organizations in the Middle East and Asia Western Europe, North America, Africa and Eastern Europe. It has employed a variety of tactics—including zero-day exploits, living-off-the-land approaches, phishing and watering-hole attacks in its campaigns. ATP34 poses a special threat to organizations in the government, financial services, telecommunications, energy and chemical sectors.
For more on the group, its TTPs and malware tool set see here and here.
Here’s the link to CPR’s IOCs for the latest APT34 campaign.