Researchers recently detected a new phishing attack attributed to APT34, also known as OilRig or Helix Kitten, a suspected Iranian APT group. The attackers posed as a marketing services company called GGMS and targeted enterprises, particularly in the United States. They deployed a variant of the SideTwist Trojan to gain long-term control over victim hosts. APT34 is known for its advanced attack techniques, supply chain attack capabilities, and the development of new attack tools.
During the attack, APT34 used a decoy file named "GGMS Overview.doc," containing malicious macrocode. This code extracted the Trojan SystemFailureReporter.exe from base64 format within the document, placed it in the %LOCALAPPDATA%\SystemFailureReporter\ directory, and created a text file named update.xml as a start switch for the Trojan. A scheduled task called SystemFailureReporter was created to invoke the Trojan every 5 minutes. The Trojan communicated with a CnC server at 18.104.22.168:443 using HTTP. It collected victim information, established communication with the CnC, and executed commands or uploaded local files as instructed.
This APT34 attack showcased their evolving tactics. The variant Trojan, compiled using GCC, shared similarities with previous SideTwist Trojans but added anti-sandbox measures. The CnC instructions were hidden in base64 encoding, decrypted with a multi-byte XOR key. The specificity of the CnC IP address suggested this might have been a testing phase, with the real CnC address kept hidden until after debugging. This highlights APT groups' strategy to protect attack resources and ensure the concealment of their operations. Vigilance and cybersecurity measures are essential to counter such threats.
The following reports contain further technical details: