APT34, a secretive cyberespionage group that focuses on targets in the Middle East, has become a major cybersecurity threat due to its sophisticated techniques and extensive resources. The group is known for conducting high-profile attacks against government agencies, critical infrastructure, telecommunications, and key regional entities.
Recently, cybersecurity researchers at Trend Micro discovered a new malware associated with APT34 called Menorah. This malware was delivered via a malicious document in an August phishing attack. Menorah is specifically designed for cyberespionage activities and has various capabilities, including machine identification, file manipulation, and the ability to download additional malware.
When a victim opens the malicious document, the infection chain begins. This triggers the creation of a scheduled task that establishes persistence. The hidden macros within the document drop the Menorah.exe malware into a specific directory. The malware is then scheduled to run under the name “OneDriveStandaloneUpdater,” with macros handling string manipulation, decoding, and task creation.
The.NET malware found in the malicious document excels in cyberespionage, with skills such as fingerprinting, file manipulation, and remote commands. The latest variant of the SideTwist malware, which is associated with APT34, enhances stealth by utilizing advanced traffic hashing techniques. The malware also employs precise argument checks to evade detection in analytic environments like sandboxes.
During analysis, cybersecurity researchers discovered a command and control (C&C) server and a timer used for communication every 32 seconds. The Menorah malware fingerprints the victim’s machine using the {MachineNameUsername} format, encodes it to calculate an MD5 hash, and XORs it with a string encoded in Base64. The resulting system fingerprint is then sent to the C&C server via an HTTP request.
The inactive C&C server was found to return an encrypted message, likely encoded in Base64. The decrypted message is split into an array, with each value dictating specific actions for the malware to take.
The continuous development and customization of tactics by APT34 demonstrate their adaptability and success in cyber espionage. The group leverages diverse resources and skills to target specific entities, ensuring the effectiveness of their attacks.
IOCs (Indicators of Compromise) associated with APT34’s Menorah malware include specific SHA256 hashes and trojan detections. Additionally, the C&C server used by the malware is located at hxxp://tecforsc-001-site1[.]gtempurl[.]com/ads.asp.
As APT34 continues to evolve and refine its techniques, it is crucial for organizations and individuals to stay vigilant and implement robust cybersecurity measures. Patching vulnerabilities, using advanced email security solutions, and staying informed about the latest threats are essential steps in protecting against cyberattacks.