The team APT34 she made her appearance again with a new one attack. The team, associated with Iran, is active from 2014 and targets mainly organizations in the financial, governmental, energy and telecommunications sectors in United States and the Middle East countries.
Some researchers from FireEye have uncovered one new campaign espionage, conducted by APT34 (OilRig and HelixKitten, Greenbug). The hackers used it LinkedIn for their campaign. In particular, the members of the group were presented as researchers from Cambridge and asked the victims to participate in network their. Their goal, of course, is distribution malicious software.
Researchers discovered the campaign in late June. According to what they said, there were three features that attracted attention:
- The appearance of hackers as professors-researchers at the University of Cambridge to gain the trust of the victims and persuade them to open malicious documents
- Use LinkedIn to deliver malicious documents
- Adding three new malware families to the AP34 team
One of the tools used by the team for the attacks is Pickpocket, which steals data and is solely associated with APT34 attacks.
The original target was organizations in the energy, oil and gas sectors, as well as government agencies.
Hackers were asking the victims to open an infected one file excel named ERFT-Details.xls. They sent a victim a message from the victim LinkedIn, who allegedly came from the "Research Staff of the University of Cambridge" and asked for resumes for possible employment opportunities.
This technique, in which the hacker attempts to gain victim's confidence is known in many espionage campaigns.
The three new malware, identified in this campaign, have been named: TONEDEAF, VALUEVAULT and LONGWATCH.
Tonedeaf is one backdoor, communicating with a command-and-control server (C2) through HTTP GET and POST requests. It has the ability to collect information system, download and download files, arbitrarily execute commands.
ValueVault is one theft credentials tool and Longwatch is one keylogger.
"We suspect this will not be the last time the APT34 team brings news tools", said the researchers. The team is constantly using new methods to avoid detection mechanisms, especially if the target is very important. For this reason, the company advises organizations to be very careful and take care of their safety data their.