According to a report, a hacker group identified as APT34 has started a new campaign meant to attack the employees of US companies specifically the Westat. Westat employees and organizations that use the Westat services have been said to be the primary target of this campaign. Westat is known for providing research services to US government agencies, businesses, states and local governments. APT34 hacker group also known as the Helix Kitten targets international organizations in the government sector, financial sector, oil and gas sector, telecommunication sector and energy and utility sectors.
According to the researchers, they recently discovered a file named survey.xls designed to look like an employee satisfaction survey. As claimed by the researchers, the file has been customized to target the Westat employees and Westat customers. This company takes information about federal workers making them primary targets of hackers. Hackers are mostly interested in companies that obtain a bunch of data from individuals, putting them at constant risk of attack.
Image Source: www.cyberscoop.com
The file is said to contain a blank sheet that only displays a survey form after the victim enables macros. After the survey is displayed, the malicious VBA code begins to run. After the VBA code executes, it releases the ZIP file into a temporal folder as explained by the researchers. From here, it extracts “Client update.exe” executable file and then installs it into a folder. The process continues and the crtt functions create a task “Check update” to run the unpacked executable. It was explained that this is done five minutes after infecting the device. The process proceeds until the final order is executed to steal the information as needed.
These are technical instructions given to the malware by the APT34 hacker group but can be prevented by strictly following basic cybersecurity procedures. It is important to train employees on how hackers use emails to create a backdoor to infect a device since they are mostly the main targets of a company.
The APT34 hacker group has been linked to a number of attacks including the one attempted on FireEye. This hackers group is mostly identified with three things which were evident in the FireEye campaign. They impersonated a member of the Cambridge University to win the trust of the target to open a malicious link or download a malicious attachment. They used LinkedIn to distribute a malicious document, and also added three new malware family. The extracted VBA code and the functionality of the code have a lot in common with the code analyzed in the FireEye attack.
Another document called “Employee Satisfaction Survey.exe” discovered and analyzed by the researchers in the Westat incident exhibited the same survey in the previous incidents linked to the same hacker group. When examining the file metadata, the code page file was Arabic. This is an indication of the preferred language installed on the document’s author version of Microsoft word.
The analysis of the malware used by the APT34 hacker group revealed a significant change in its toolset. They have upgraded their operation from the previous attack and ensured that their tools stand a better chance against an upgraded detection tool.
In the mid-2019, an individual identified as the Lab Dookhtegan published a source code linked to the APT34 hacker’s tool on a Telegram channel. In addition to the source code released on the Telegram channel, the individual also released data obtained by the APT34 hacker group from victims. The released data was mainly the usernames and passwords of victims. According to the researchers, the data was suspected to had been obtained through a phishing campaign. The data was from 66 victims who were traced to the Middle East, Africa, East Asia, and Europe.
Image Source: www.zdnet.com
The researchers revealed that the data were also obtained from both private and government agencies. The Emirate national oil and the Etihad Airways were among some of the well known affected companies. The individual, in addition, listed the IP address and domains that had been hosted on the web shell by the hackers. In addition, he listed data of the Iranian Ministry of Intelligence officers including images, names and phone number of officers obtained in the APT34 hacker group previous operations. A PDF containing the names, phone numbers, email addresses, images, tools and social media profiles of affected victims was created by Doockhtegan.
Hackers have learned to upgrade their operations with sophisticated tools difficult to detect and capable of remaining silent without exhibiting any clear behavior as it executes an order by creating backdoors and giving remote access to the actors behind the malware. It is therefore important for both the private and the public organizations to put measures in place to fight against any possible attacks launched by hackers.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.