A spear-phishing marketing campaign focusing on Jordan’s overseas ministry has been noticed dropping a brand new stealthy backdoor dubbed Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the marketing campaign to an Iranian cyber espionage risk actor tracked below the moniker APT34, citing resemblances to previous campaigns staged by the group.
“Like many of these attacks, the email contained a malicious attachment,” Fortinet researcher Fred Gutierrez mentioned. “However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs).”
APT34, also referred to as OilRig, Helix Kitten, and Cobalt Gypsy, is understood to be lively since not less than 2014 and has a monitor file of hanging telecom, authorities, protection, oil, and monetary sectors within the Middle East and North Africa (MENA) by way of focused phishing assaults.
Earlier this February, ESET tied the group to a long-running intelligence collect operation geared toward diplomatic organizations, expertise corporations, and medical organizations in Israel, Tunisia, and the United Arab Emirates.
The newly noticed phishing message accommodates a weaponized Microsoft Excel doc, opening which prompts a possible sufferer to allow macros, resulting in the execution of a malicious Visual Basic Application (VBA) macro that drops the malware payload (“update.exe”).
Furthermore, the macro takes care of creating persistence for the implant by including a scheduled job that repeats each 4 hours.
A .NET-based binary, Saitama leverages the DNS protocol for its command-and-control (C2) communications as a part of an effort to disguise its visitors, whereas using a “finite-state machine” method to executing instructions obtained from a C2 server.
“In the end, this basically means that this malware is receiving tasks inside a DNS response,” Gutierrez defined. DNS tunneling, because it’s referred to as, makes it attainable to encode the data of different applications or protocols in DNS queries and responses.
In the ultimate stage, the outcomes of the command execution are subsequently despatched again to the C2 server, with the exfiltrated data constructed right into a DNS request.
“With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers,” Gutierrez mentioned.
“Perhaps to avoid triggering any behavioral detections, this malware also does not create any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task.”