Intezer: Iran’s APT34 attacks US targets with new tools. The targets are Westat employees or organizations that use the company services

APT34, Iranian state-sponsored hackers, launched a new campaign on US targets with an updated toolset. It has been discovered by Intezer cyber security experts. Based on uncovered phishing documents, they believe the Tehran’s threat actor is targeting Westat employees, or United States organizations hiring its services. Westat “provides research services to agencies of the U.S. Government, as well as businesses, foundations, and state and local governments”. “Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo – the company stated -. This file was not created by, hosted by, or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo. Our cybersecurity team is working with Intezer and others to fully understand the nature of this report. We will continue to monitor the situation and respond accordingly.”

The cyber security experts: The file “survey.xls” contains a malicious VBA code that install TONEDEAF 2.0 malware

The cyber security experts discovered the file “survey.xls”, designed to look like an employee satisfaction survey tailored to either Westat employees or customers. At first the spreadsheet appeared to be blank. Only once the victim enables macros, it is displayed to the user and the malicious VBA code begins to execute. It unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”. This is a highly modified version of the TONEDEAF malware, which Intezer named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons. Moreover, both the extracted VBA code and the functionality of the code look similar to the one analyzed by FireEye on a spear-phishing operation conducted by APT34.

The backdoor is a new advanced version of the original 1.0

At first glance, “Client update.exe” seems like a completely new backdoor malware. However, further examination reveals it’s most likely a highly modified version of the previously seen TONEDEAF backdoor. It communicates with its Command and Control server via HTTP in order to receive and execute commands. It was mentioned in FireEye’s recent report about an ongoing APT34 operation, as one of the group’s custom tools. “TONEDEAF 2.0” is an advanced version of the original malicious code, serving the same purpose as it, but with a revamped C2 communication protocol and a substantially modified code base. In contrast, it contains solely arbitrary shell execution capabilities, and doesn’t support any predefined commands. It’s also more stealthy and contains new tricks such as dynamic importing, string decoding, and a victim deception method. 

The APT34 malware evasion tricks

The APT34 malware, upon execution, checks whether it was executed with “…” as an argument, which is the way it’s configured to execute by the scheduled task, as part of the proper infection chain. In the case the backdoor it’s executed without the correct argument, such as by launching it via a double click, it will display a blank GUI Window to the user. This is most likely intended to serve as a deception method, to make the malicious code appear like a legitimate (alibiet broken) application titled “Bee”. TONEDEAF 2.0 also attempts to be more stealthy than its predecessor by hiding many of the interesting API imports it uses. The names of these APIs, and the DLLs that contain them, are stored as encoded strings and are decoded and resolved on demand during runtime.

Iranian state-sponsored hackers exploited also VALUEVAULT 2.0 credential theft tool, built in Golang

Cyber security experts believe the Iranian cyber espionage operation also includes the usage of a VALUEVAULT implant. It’s a browser credential theft tool built in Golang, discovered by FireEye in the APT34 operation analysis. Intezer, furthermore, found the survey.xls file uploaded to VirusTotal with a VALUEVAULT and a TONEDEAF 2.0 instance, uploaded from Lebanon by the same user, only a few minutes apart. This may indicate that these malware were delivered together as part of the same attack. In this VALUEVAULT many functionalities and strings were stripped from the new binary in order to lower its noise. Only Chrome password dumping is now supported, although the use of the file “fsociety.dat” as a password data store under the “AppData\Roaming” directory remained. Furthermore, VALUEVAULT 2.0 is a 64-bit binary as opposed to 1.0 (32-bit). These relatively minor changes were enough to create a fully undetected implant.