Short News:-
Iran-linked APTs have updated their malware toolkit to include a new backdoor called Marlin. Middle Eastern governments and businesses have been targeted by a hacking group that has been active since at least 2014. ESET identified OilRig (aka APT34) as the source of the attacks codenamed "Out To Sea". The company found conclusive evidence linking it to the Lyceum cybercrime syndicate in Iran.
Detailed News:-
Iran-linked APTs have updated their malware toolkit to include a new backdoor called Marlin as part of a long-running spying campaign that began in April of this year (2018).
At the same time that ESET identified OilRig (aka APT34) as the source of the attacks codenamed "Out To Sea," the company found conclusive evidence linking it to the Lyceum cybercrime syndicate in Iran (Hexane aka SiameseKitten).
Israel, Tunisia, and the United Arab Emirates have been targeted by a cyber-attack, according to ESET's T3 2021 Threat Report shared with The Hacker News.
Middle Eastern governments and a wide range of businesses have been targeted by a hacking group that has been active since at least 2014. An implant known as SideTwist was used in April 2021, while campaigns previously linked to Lyceum targeted Israeli, Moroccan, Tunisian, and Saudi Arabian technology firms.
There have been multiple backdoors dropped by Lyceum infection chains, starting with DanBot in 2018 and moving on to Shark and Milan by 2021, and a new data collection malware known as Marlin was used for attacks discovered in August 2021.
It doesn't stop there, though. Marlin uses Microsoft's OneDrive API for its C2 operations, which is a significant departure from traditional OilRig TTPs that involve the use of DNS and HTTPS for command-and-control (C&C) communications.
There were "too many and specific" parallels between OilRig's backdoors, ESET said in a statement, noting that "spear-phishing and remote access/administration software like ITbrain or TeamViewer" were used to gain access to the network.
To communicate with its command and control server, the ToneDeaf backdoor relied on HTTP/S, but it also had a secondary method of communication that didn't work, according to the researchers. While DNS is Shark's primary method of communication, it also has a non-functional HTTP/S backup.
ToneDeaf is a malware family that was deployed by the APT34 actor targeting a wide range of industries operating in the Middle East in July 2019. It supports collecting system information, uploading and downloading files, and arbitrary shell command execution.
Among other things, DNS was found to be used as a C&C communication channel alongside HTTP/S and multiple folders in the backdoor's working directory for uploading and downloading files from the C&C server, according to the findings.
Post a Comment
Your suggestions and comments are welcome