HelixKitten APT Registers on LinkedIn

Delaware, USA – July 23, 2019 – Sharpness on the Middle East is reflected in cyberspace: the HelixKitten cyber espionage group (aka APT34, and OilRig) associated with the Iranian government, in the last campaign discovered, began to use new tweaks and tools. FireEye managed to stop the attack and analyze the malware used in it. This time, the attackers leveraged the LinkedIn platform to deliver a malicious Excel document. They created a fake profile of “Research Staff at University of Cambridge” and suggested their target to download via a legitimate-looking link and fill out a resume containing a macro that creates a malicious binary and scheduled task for its execution. Further investigations revealed three new pieces of malware in the HelixKitten group arsenal. TONEDEAF backdoor can upload and download files, execute shell commands, and communicate with the command-and-control server with DNS requests. VALUEVAULT browser credentials dumper is written in Golang and can steal passwords and extract browser history, but the tool does not contain any mechanisms for transferring data to the C&C server and therefore is only used in conjunction with other tools of the group. The last tool discovered is the LONGWATCH keylogger, which saves data to the Windows temp folder.

Many APT groups use social networks in targeted attacks communicating with the intended victim and palming off malicious files. For example, the Lazarus group arranged an interview with an employee of Chilean bank and then, during the Skype call, they sent malware disguised as a legitimate software for job applications and this was enough to compromise the organization’s network. To detect sophisticated attacks, you can use your SIEM and APT Framework: https://my.socprime.com/en/integrations/apt-framework-arcsight