Phishing Campaigns Offer New SideTwist Backdoor and Agent Tesla Variant
Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a backdoor variant called Side twist.
“APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report released last week.
APT34, also known as Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten and OilRig, has a proven track record of targeting telecommunications, government, defense, oil and financial services verticals in Middle East since at least 2014 via spear. -phishing lures that result in the deployment of various backdoors.
One of the key features of the hacking team is its ability to create new and updated tools to minimize the chances of detection and gain a foothold on compromised hosts for extended periods of time.
SideTwist was first documented as being used by APT34 in April 2021, with Check Point describing it as an implant capable of uploading/uploading files and executing commands.
The attack chain identified by NSFOCUS begins with a baited Microsoft Word document that is embedded in a malicious macro, which, in turn, extracts and launches the Base64-encoded payload stored in the file.
The payload is a variation of SideTwist compiled using CCG and establishes communication with a remote server (11.0.188(.)38) to receive further commands.
This development comes as Fortinet FortiGuard Labs captured a phishing campaign that spreads a new variant of Agent Tesla using a specially crafted Microsoft Excel document that exploits CVE-2017-11882, a memory corruption vulnerability six years old in the Microsoft Office equation editor, and CVE. -2018-0802.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
“Agent Tesla’s core module collects sensitive information from the victim’s device,” said security researcher Xiaopeng Zhang. said. “This information includes saved credentials of certain software, the victim’s keyboard input information, and screenshots.”
According to data shared by cybersecurity company Qualys, CVE-2017-11882 remains one of the most popular flaws to dateexploited by “467 malware, 53 malicious actors and 14 ransomware” and as recently as August 31, 2023.
It also follows the Discovery of another phishing attack that uses ISO image file lures to launch malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on infected hosts.
