Delaware, USA – January 31, 2020 – The notorious Iranian cyberespionage group began to hunt for government organizations in the United States modifying for this purpose the tools found in the group’s arsenal last summer. Intezer Labs researchers, Paul Litvak and Michael Kajilolti, discovered a new spear-phishing campaign by APT34 (aka OilRig and Helix Kitten) utilizing updated TONEDEAF and VALUEVAULT malware. Attackers are likely targeting United States organizations hiring Westat services: 80+ federal agencies including U.S. Department of Health and Human Services, U.S. Department of Justice, and U.S. Department of Transportation. “In late January 2020, we discovered a file named survey.xls that was designed to look like an employee satisfaction survey tailored to either Westat employees or Westat customers,” – researchers said. “At first the spreadsheet appeared to be blank. Only once the victim enables macros, the survey is displayed to the user and the malicious VBA code begins to execute.” Macro downloads and installs tuned TONEDEAF and VALUEVAULT malware: the backdoor and password-stealing malware.
APT34 has significantly improved tools since the publication of their analysis. TONEDEAF backdoor became stealthier, and adversaries added dynamic importing, string decoding, and a victim deception method. It contains now solely arbitrary shell execution capabilities and doesn’t support any predefined commands. New VALUEVAULT, by contrast, has lost most functions to lower its noise, and it contains a Chrome password dumping feature only. The spear-phishing campaign is still going, so it is necessary to take measures to enhance security. You can use the Iranian APT Groups Technique Detection [Starter Pack] with your security solution to spot signs of state-sponsored actors activities and act on early stages of the attack: https://tdm.socprime.com/tdm/info/pa3gjIFydULg/