Security researchers have discovered a malicious campaign targeting organizations in the Middle East using new backdoor malware.
Describe the activity in Thursday’s recommendation, trend micro Researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy believe the Advanced Persistent Threat (APT) group, which the company calls APT34, is the culprit.
“The main purpose is to steal user credentials. [the] In case of password reset or change, malware can send new credentials to the attacker,” read the technical article.
Additionally, Fahmy, Magdy, and Zohdy analyzed a backdoor variant deployed as part of a new campaign and found that the malware had additional extraction techniques compared to previously studied variants. said to have found
In particular, new malware can exploit compromised mailbox accounts to send stolen data from internal mailboxes to attacker-controlled external email accounts.
“Although the technique is not new, this is the first time APT34 has used it in a campaign,” Trend Micro said. Recommendation.
From a technical perspective, the attack’s infection flow started with a .Net dropper malware called MrPerfectInstaller that dropped four different files. It then exploits Microsoft’s password filter to intercept and obtain credentials from both domain users (domain controllers) or local accounts (local computer) before exfiltrating credentials via legitimate email traffic. .
“Main backdoor functions […] It takes a valid domain credential as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. “
“The main function of this stage is to take the stolen passwords from the arguments and send them as email attachments to the attackers. I also confirmed exchange server You are using a valid account with a stolen password. “
According to TrendMicro, security teams could mistakenly tag a malware sample as safe because both the domain and email credentials are valid.
“We need more experienced analysts to confirm that the domain has been abused. [are] Part of a larger Active Directory domain “forest” that shares trust relationships […] It is to allow various government ministries and agencies to communicate. “
The APT34 threat group isn’t the only threat group targeting organizations in the region. Just a few weeks ago, we observed another threat group spotted by TrendMicro using geopolitical-themed lures in the Middle East. Distribute NjRAT.
