A malicious campaign targeting organizations in the Middle East with a new backdoor malware has been spotted by security researchers.
Describing the activity in a Thursday advisory, Trend Micro researchers Mohamed Fahmy, Sherif Magdy and Mahmoud Zohdy have attributed it to the advanced persistent threat (APT) group the company refers to as APT34.
“The main goal is to steal users’ credentials. Even in [the] case of a password reset or change, the malware is capable of sending the new credentials to the threat actors,” reads the technical write-up.
Additionally, Fahmy, Magdy and Zohdy said that after analyzing the backdoor variant deployed as part of the new campaign, they found the malware had additional exfiltration techniques compared to previously studied variants.
In particular, the new malware could abuse compromised mailbox accounts and send stolen data from the internal mailboxes to external, attacker-controlled mail accounts.
“While not new as a technique, this is the first instance that APT34 used this for their campaign deployment,” reads the Trend Micro advisory.
From a technical standpoint, the attack infection flow started with a .Net dropper malware called MrPerfectInstaller, which was responsible for dropping four different files. These would then abuse Microsoft’s Password Filters to intercept and/or retrieve credentials from both domain users (domain controller) or local accounts (local computer) before exfiltrating them through legitimate mail traffic.
“The main backdoor function […] receives the valid domain credentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes,” reads the advisory.
“The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using valid accounts with stolen passwords.”
According to TrendMicro, security teams can mistakenly tag the malware sample as safe due to the validity of both domains and mail credentials.
“It will take more experienced analysts to see that the domains abused [are] part of a bigger active directory domain ‘forest,’ which share a trust relationship […] to allow different government ministries or agencies to communicate.”
The APT34 threat group is not the only one targeting organizations in the region. Just weeks ago, a separate threat group discovered by TrendMicro was observed using Middle Eastern geopolitical-themed lures to distribute NjRAT.