APT34 Linked to New Phishing Attacks Deploying SideTwist Backdoor and Agent Tesla Variant

September 6, 2023

The Iranian threat actor identified as APT34 is connected to a new phishing campaign that results in the deployment of a SideTwist backdoor variant. According to NSFOCUS Security Labs, "APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability."

APT34, also known under various other aliases, has been targeting sectors such as telecommunications, government, defense, oil and financial services in the Middle East since 2014. The group is known for its ability to develop new and updated tools to evade detection and maintain a presence on compromised systems for extended periods.

The attack begins with a deceptive Microsoft Word document that contains a malicious macro. This macro extracts and initiates the Base64-encoded payload stored in the document. The payload is a SideTwist variant that communicates with a remote server (11.0.188[.]38) to receive further instructions.

Fortinet FortiGuard Labs has also discovered a phishing campaign that distributes a new Agent Tesla variant. This campaign uses a specially designed Microsoft Excel document that exploits CVE-2017-11882 and CVE-2018-0802, two vulnerabilities in Microsoft Office's Equation Editor.

Security researcher Xiaopeng Zhang explains, "The Agent Tesla core module collects sensitive information from the victim's device. This information includes the saved credentials of some software, the victim's keylogging information, and screenshots."

Cybersecurity firm Qualys has shared data indicating that CVE-2017-11882 is one of the most exploited flaws, having been used by 467 malware, 53 threat actors, and 14 ransomware as of August 31, 2023. Another phishing attack has been discovered that uses ISO image file lures to deploy malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on infected systems.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.