The APT34 (Advanced Persistent Threat) is an Iran-based hacking group that is also known as OilRig, Helix Kitten, and Greenbug. Malware experts believe that the APT34 hacking group is sponsored by the Iranian government and is used to further Iranian interests globally. The APT34 hacking group was first spotted back in 2014. This state-sponsored hacking group tends to target foreign corporations and institutions in the energy, financial, chemical, and defense industries.
Operates in the Middle East
The activity of the APT34 is concentrated in the region of the Middle East mainly. Often, hacking groups would exploit known exploits in outdated software. However, the APT34 prefers to propagate their threats using social engineering techniques. The group is known for their use of rarely seen techniques - for example, employing the DNS protocol to establish a communication channel between the infected host and the control server. They also rely on self-made hacking tools regularly, instead of opting to use public ones.
The Tonedeaf Backdoor
In one of its latest campaigns, the APT34 targets employees in the energy sector as well as individuals working in foreign governments. The APT34 built a bogus social network and then posed as a representative of the Cambridge University that is looking to hire staff. They have even gone as far as generating a fake LinkedIn profile, which is meant to convince the PC user of the legitimacy of the job offer. The APT34 would send the targeted victim a message which would contain a file called 'ERFT-Details.xls' carrying the payload of the malware. The malware dropped is called the Tonedeaf backdoor and upon execution would connect to the attackers C&C (Command & Control) server immediately. This is achieved via POST, and HTTP GET requests. The Tonedeaf malware is able to:
- Upload files.
- Download files.
- Gather information about the compromised system.
- Execute shell commands.
Apart from its main capabilities, the Tonedeaf backdoor serves as a gateway for the APT34 to plant more malware on the infected host.
The group is certainly not happy with having control over just one of the compromised organization's systems. They were seen using password-collecting tools to access login credentials regularly and then try and use them to infiltrate other systems found on the same company network.
The APT34 tends to use hacking tools that they have developed mainly, but sometimes they would employ publicly available tools in their campaigns too.