The Iranian threat actor identified as APT34 is connected to a new phishing campaign that results in the deployment of a SideTwist backdoor variant. According to NSFOCUS Security Labs, "APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability."
APT34, also known under various other aliases, has been targeting sectors such as telecommunications, government, defense, oil and financial services in the Middle East since 2014. The group is known for its ability to develop new and updated tools to evade detection and maintain a presence on compromised systems for extended periods.
The attack begins with a deceptive Microsoft Word document that contains a malicious macro. This macro extracts and initiates the Base64-encoded payload stored in the document. The payload is a SideTwist variant that communicates with a remote server (11.0.188[.]38) to receive further instructions.
Fortinet FortiGuard Labs has also discovered a phishing campaign that distributes a new Agent Tesla variant. This campaign uses a specially designed Microsoft Excel document that exploits CVE-2017-11882 and CVE-2018-0802, two vulnerabilities in Microsoft Office's Equation Editor.
Security researcher Xiaopeng Zhang explains, "The Agent Tesla core module collects sensitive information from the victim's device. This information includes the saved credentials of some software, the victim's keylogging information, and screenshots."
Cybersecurity firm Qualys has shared data indicating that CVE-2017-11882 is one of the most exploited flaws, having been used by 467 malware, 53 threat actors, and 14 ransomware as of August 31, 2023. Another phishing attack has been discovered that uses ISO image file lures to deploy malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on infected systems.