It has been noticed that a phishing campaign aimed at the Jordanian Foreign Ministry has released a new hidden backdoor called Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed Campaign against Iranian actor threatens cyber espionage under the nickname APT34, citing similarities to past campaigns organized by the group.
“Like many of these attacks, the letter contained a malicious attachment,” said Fortinet researcher Fred Gutierrez. said. “However, the attached threat was not a garden-type malware. Instead, it had capabilities and techniques commonly associated with Advanced Sustainable Threats (APT).”
APT34, also known as OilRig, Helix Kitten and Cobalt Gypsy, has been known to be active since 2014 and has a track record of impact in the telecommunications, government, defense, oil and financial sectors in the Middle East and North Africa (MENA) through targeted phishing attacks .
Earlier in February this year ESET related a team for a long-running intelligence-gathering operation targeting diplomatic organizations, technology companies and medical organizations in Israel, Tunisia and the United Arab Emirates.
A recently discovered phishing message contains an armed Microsoft Excel document, the discovery of which prompts a potential victim to include macros, which runs the Visual Basic Application (VBA) malware, which removes the malware payload (“update.exe”).
In addition, the macro takes care of establishing stability for the implant by adding a scheduled task that is repeated every four hours.
The .NET-based Saitama uses DNS for Command and Control (C2) to disguise traffic using “ultimate automaton“approach to executing commands received from the C2 server.
“After all, it means that this malware gets tasks in the DNS response,” Gutierrez explained. DNS tunneling, as it is called, allows you to encode data from other programs or protocols in DNS queries and responses.
In the final stage, the results of the command are then sent back to the C2 server, and the stolen data is embedded in the DNS query.
“Given the amount of work put into developing this malware, it’s not the type that could be done once and then removed like other hidden information thieves,” Gutierrez said.
“Perhaps to avoid detecting behavior, this malware also doesn’t create any save methods. Instead, it relies on an Excel macro to build resilience with a scheduled task.”