Saitama Backdoor Detection: APT34 Aims New Malware at Jordan’s Foreign Ministry

Saitama Malware

Iranian hackers known as APT34 have launched a spear-phishing campaign distributing a novel backdoor named Saitama. This time, APT34 targets officials from Jordan’s Foreign Ministry. APT34 is associated with other monikers, such as OilRig, Cobalt Gypsy IRN2, and Helix Kitten, and has been active since at least 2014, mostly attacking entities in finance and government, as well as businesses and organizations in telecommunications, energy and chemical sectors.

Detect Saitama Backdoor

The rule below, provided by a keen Threat Bounty Program developer Sohan G, enables swift detection of APT34’s malicious activity within your environment:

Possible recent APT34 activity targetting Jordan Government using new a Saitama backdoor

The detection is available for the 23 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Resource Development tactic with Obtain Capabilities (T1588/T1588.001) as the main technique.

Are you looking for cost-effective yet efficient solutions to increase the ransomware detection capabilities of security platforms existing in your organization? Join the Threat Bounty Program and get access to the only Threat Detection Marketplace where researchers can monetize their content.

View Detections Join Threat Bounty

Saitama Backdoor Details

The Malwarebytes’ research team reports of a novel backdoor, with a great probability operated by APT34, given a number of indicators and similarities to previous activities of this notorious APT. Iranian threat actor distributes the new malware strain dubbed Saitama by means of a spear-phishing campaign aimed at Jordanian government officials. In late April, the analysts warned about a malicious email received by a Jordanian diplomat. Adversaries, mimicking a legitimate representative of the Government of Jordan, sent an email with bogus claims regarding required confirmation with a maldoc attached.

The malicious document was an Excel file laced with macros. Upon opening a file, the victim is urged to enable a macro, starting such processes as creating a TaskService object and sending a notification of each step of macro execution to the server via the DNS protocol, dropping the malware payload “update.exe” and making it persistent.

The payload used in this spear-phishing attack is a .NET-written binary Saitama that abuses DNS protocol for command-and-control (C2) communications. In order to conceal its traffic, the backdoor operators also utilize such techniques as compression and establishing long random sleep times.

Sign up for Threat Detection Marketplace to empower your threat detection and response capabilities with the collective expertise of the worldwide cybersecurity community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts