By CagedTech in Backdoors

The APT34 (Advanced Persistent Threat) is a hacking group that originates from Iran. They also are known under the aliases Helix Kitten, OilRig, and Greenbug. It is largely believed that the APT34 hacking group is sponsored by the Iranian government and is often given tasks to carry out, which would further Iranian interests with most the efforts focused on the Middle Eastern region. Often, the APT34 hacking group would target companies in the defense, chemical, energy, and financial industries.

Propagation via Social Engineering

The APT34 hacking group would often employ social engineering tactics as a means to propagate their threats. Such is the case with the TONEDEAF backdoor Trojan. Members of the APT34 would set up bogus LinkedIn profiles pretending to be reputable scientists. Once they establish a connection with the targeted victim, the APT34 hacking group would send them a Microsoft Office document that is meant to appear as a legitimate research paper. If the user falls for their trickery and opens the macro-laced attachment, they would trigger the execution of the TONEDEAF Trojan.

Can Operate Silently

Often, the APT34 would use the TONEDEAF backdoor Trojan simply as a first-stage payload, which would facilitate the planting of additional malware on the infected host. To potentially stay under the radar of anti-malware tools, the TONEDEAF backdoor may be able to communicate with the server of the attackers via DNS protocols. Despite this being a much less efficient way to establish a connection with the attackers' server, as it reduces the capabilities of the threat, it makes the operation much less noisy. However, the DNS communication is not yet active, and TONEDEAF continues to rely on the HTTP protocol for contacting the Command & Control server.

Once the TONEDEAF Trojan is on the system, it would enable the attackers to:

  • Collect system information.
  • Execute Shell Commands.
  • Download additional files.

The samples of the TONEDEAF backdoor that were analyzed by cybersecurity researchers appeared to feature a hardcoded Command & Control server. However, do not be surprised if the APT34 threat actor opts to improve this in the future.
The APT34 hacking group is very active and has a constantly evolving arsenal of hacking tools. Since they are state-sponsored, it is not likely that they will halt operations any time soon. It is very important that you have installed a legitimate anti-virus software suite, which would keep you safe from potential threats like the TONEDEAF Trojan.

Related Posts


Most Viewed