skip to Main Content

Cyber Espionage, APT34 is back with a new backdoor: SideTwist

CheckPoint: APT34 is back with a new backdoor: SideTwist. The Iranian threat actor, aka OilRig, used the malware in a campaign on a Lebanese target

APT34, aka OilRig, is back with a new backdoor: SideTwist. It has been denounced by CheckPoint cybersecurity experts. The Iranian APT launched a campaign on a Lebanese target, employing it. The infection starts with a malicious Microsoft Word file named Job-Details.doc. It tries to appear like a benign document, offering various positions in the Ntiva IT consulting company. However, once the user activates the embedded malicious macros, the full infection flow is triggered. As they are executed, DNS requests are used to beacon back to the attackers, and inform them of the current stage of the execution, as well as to deliver some victim identifiable information. Furthermore, the malware is dropped. Its functionality includes download, upload and shell command execution. Next, the backdoor will verify if the update.xml file has been created in the first stage of the infection. If not, it will terminate itself.

Back To Top