skip to Main Content

Cyber Espionage, Iran still targets Lebanon government

Yoroi-ZLab found a sample, an update of the Karkoff implant, used by APT34. It could prove that group is still operating and that a new campaign is active

Iran’s APT34 is spying Lebanon government. It has been discovered by Yoroi-Cybaze ZLab cyber security experts. They spotted a new sample which they believe to be an update of the Karkoff implant. In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE. At the time of the report, the threat actor carried out a cyber espionage campaign by redirecting DNS traffic from domains owned by the Lebanon government to target entities in the country. In April 2019, Cisco Talos discovered evidence of the link between APT (Helix Kitten or OilRig) and the “DNSEspionage” operation. Talos analysts discovered several overlaps in the infrastructure employed by attackers and identified common TTPs. They dubbed the new malware“Karkoff”. The last discover could prove that Tehran’s hackers are still active and threat actors used it in a new campaign that appears to be active.

Iran’s hackers made some changes in their technique, tactics, and procedures, but the target is the same: the Lebanon Government. The APT could have compromised a Microsoft Exchange Server

According to the cyber security experts, APT34 made some changes in its technique, tactics, and procedures, but the target is the same: the Lebanon Government. In this campaign, the Iran’s hackers may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, Yoroi-ZLab found some evidence in the communication logic. This new implant has some similarities with the samples of Karkoff involved in past campaigns, including: similar Macro structure, .NET modular implant with similar logic, and exploit Microsoft Exchange Server as communication channel. Moreover, the new malware implant implements a new reconnaissance logic in order to drop the final payload only to specific targets, gathering system information, the domain name, hostname and running Operating System.

Telsy: The APT34 malware is delivered through spear-phishing email messages, and the infection starts with a macro-armed Excel document

Cyber security researchers at Telsy have come to the same conclusion. They found the APT34 malware is delivered through spear-phishing email messages. The infection starts with a macro-armed Excel document. The Macro contains a base64 encoded executable payload, copied as “monitor.exe”, which will be deployed in a just created folder, named “.Monitor” under “C:\Users\Public”. Through the usage of Windows Task Scheduler, “monitor.exe” is added to a new task, named “SystemErrorReporter”, whose execution is scheduled every minute. Analyzing the resources embedded into “monitor.exe”, it is possible to discover some further information, such as the credentials used by Iranian hackers to access a Microsoft Exchange server hosted in Lebanon. 

Back To Top