A recent phishing attack has been attributed to the Iranian threat actor APT34, also known as Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig. APT34 has a history of targeting telecommunications, government, defense, oil, and financial services sectors in the Middle East since 2014. The group uses spear-phishing lures to deploy various backdoors on their targets.

This latest attack involves the deployment of a variant of a backdoor called SideTwist. SideTwist is an implant with capabilities for file download/upload and command execution. NSFOCUS Security Labs discovered the attack chain, which begins with a malicious Microsoft Word document embedded with a malicious macro. This macro launches a payload stored in the file, which is a variant of SideTwist. The backdoor then communicates with a remote server to receive further instructions.

APT34 has demonstrated a high level of attack technology and the ability to develop new and updated tools to evade detection. This allows them to maintain access to compromised hosts for extended periods of time.

Meanwhile, cybersecurity firm Fortinet FortiGuard Labs has uncovered a phishing campaign spreading a new variant of Agent Tesla. The campaign utilizes a specially crafted Microsoft Excel document that exploits a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor. Agent Tesla is a malware that collects sensitive information from the victim’s device, including saved credentials, keylogging information, and screenshots.

It should be noted that the Microsoft vulnerability CVE-2017-11882, exploited in the Agent Tesla campaign, remains popular among threat actors. Qualys reported that the vulnerability has been exploited by 467 malware, 53 threat actors, and 14 ransomware as of August 31, 2023.

These recent phishing attacks highlight the ongoing threat posed by APT34 and the importance of implementing strong cybersecurity measures to protect against such threats.

