FireEye cybersecurity experts: The malware uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites.
Is APT34 behind the Sea Turtle cyber espionage campaign? There are many similarities between the credential harvesting operation and the WebMask project of the Iranian hackers on DNS Hijacking
Are APT34 Iranian state-sponsored hackers behind the Sea Turtle cyber espionage campaign? The credential harvesting operation against targets in Middle East and North Africa, discovered by Cisco Talos cyber security experts, highlighted that malicious actors have focused on DNS hijacking as a mechanism for achieving their ultimate objectives. Furthermore, Yoroi-Cybaze’s founder Marco Ramilli analyzed in dept the APT cyber aggressions. In particular the WebMask project standing behind the DNS attacks. Comparing the TTPs, there are many similarities. Moreover, APT34 targets are the same of the one of the group behind Sea Turtle. There are not enough elements to confirm the hypothesis, but this seems likely even if not certain. Especially, taking into account the new wave of US sanctions, that aim to isolate and bend Tehran. The Islamic Republic surely is trying to react, even in the cyberspace domain.
The Marco Ramilli analysis on the WebMask finds similarities with Talos Sea Turtle campaign. APT34 needs credentials for change Authoritative DNS
Moreover, according to Ramilli, the WebMask is an APT34 distinction since implementing their DNS attack core. The Iranian state-sponsored hackers are well-known to widely use DNS Hijacking in order to redirect victims to attackers websites. They implemented their TTPs thanks to the project. The Italian cyber security researcher, analyzing it, found that is born after April 2016. It has been used to attack at least “Arab Emirate” (From examples into config files) and might target Spanish/Portuguese (From code into the extract_login_password function ). Moreover, the APT might use NovinVPS, but it needs credentials for change Authoritative DNS. So, most likely there are campaign focused on harvesting credentials. And, “incidentally”, Sea Turtle has has precisely this purpose.
Photo Credits: Cisco Talos