A threat group linked to Iran has targeted a U.S.-based research company whose services are used by businesses and government organizations, cybersecurity firm Intezer reveals.
The attack appears to be the work of cyber-espionage group APT34 (also known as OilRig or Helix Kitten), which has been active since at least 2014, targeting government agencies, as well as financial services, energy and utility, telecommunications, and oil and gas companies worldwide.
The newly observed activity employs techniques and tools similar to an operation documented in July 2019, thus suggesting that APT34 is behind it.
Specifically, Intezer’s security researchers discovered a phishing document masquerading as an employee satisfaction survey tailored to Westat employees. A research company, Westat works with U.S. government agencies, businesses, foundations, and state and local governments.
In an email conversation with Intezer, SecurityWeek has learned that the threat actor issued a certificate for its C&C server only last month. With the malware’s C&C domain (manygoodnews[.]com) still operational, the researchers believe the attack is likely ongoing.
The identified phishing document appears as a blank spreadsheet when opened, enticing the intended victim into enabling macros. Once that happens, malicious VBA code installs an updated version of the TONEDEAF malware and achieves persistence.
To receive and execute commands, the TONEDEAF backdoor, which is a custom APT34 tool, communicates with its C&C via HTTP. The new version features a revamped communication protocol, comes with solely arbitrary shell execution capabilities and does not support pre-defined commands.
TONEDEAF 2.0 features largely modified code compared to the previous version, but the general flow and functionality are similar. It is stealthier and it includes dynamic importing, string decoding, and a new method to deceive its victims into believing it is a legitimate, broken app — if executed without a specific argument, it displays a blank GUI window.
HTTP is still used for C&C communication, but with custom encoding and handshake mechanisms, where messages always contain a specific identifier. The researchers believe that the C&C is filtering targets, given that their requests would always receive a 403 Forbidden error code.
“It’s possible that the C2 is filtering the targets since this backdoor is part of a targeted operation and our client_id parameter does not match that of one of the intended victims,” Intezer says.
The security researchers believe that the operation also employs the VALUEVAULT implant, a browser credential theft tool built in Golang. Within minutes apart, the same user (from Lebanon) uploaded to VirusTotal versions of the phishing document leading to VALUEVAULT and TONEDEAF 2.0.
“This perhaps indicates that these malware were delivered together,” the researchers say.
The researchers also discovered that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.
SecurityWeek contacted Westat for comment but received no reply at the time of publication.