Iranian Backed APT Group APT34: OILRIG
APT34, Iraniangenerally conducts cyber attacks in accordance with the strategic interests of Middle Eastand therefore among its goals TürkiyeThere is also. It is reported that the group has been active since 2014. In April 2019, a lot of information about APT34 was leaked via telegram.
Who is APT34?
APT34; at the same time OILRIG, HELIX KITTEN, IRN2 It is also known by names such as. In fact, it was examined in two separate groups, APT34 and OILRIG, but they were combined due to the overlap of their activities. They are known to be active as a cluster of cyber espionage and attacks since 2014.
Which Countries Support APT34?
APT34; Due to the use of infrastructure related to Iranian operations, timing and acting in accordance with Iran's national interests Iranian origin It has been described as a hacker group. Also, a group of Iranian origin APT33 It has carried out attacks against many organizations that have also been targeted by . In line with all this information, based on the use of Iranian infrastructure Iranian government It is considered that he is working on behalf of
What are APT34's Target Sectors?
The main target audience of the APT34 group is that they act with a mission that is in line with Iran's geopolitical position, economic needs and strategic interests and that will benefit Iran. Middle East countries. Therefore Türkiye is also among the targets of this hacker group. Except for Middle Eastern countries; Countries such as the USA, England and Germany are also among the targets of the APT34 group. As a threat group institution and organization:
- finance
- Telecommunication
- chemical industry
- Critical infrastructure systems
- energy institutions
- government agencies
- Media
It has targeted various areas such as and generally directed its activities to this field.
What Malware Does APT34 Use?
In addition to tools and software developed for different purposes and used by security experts, APT34 also uses various backdoor software. Malware with different features is used by the group to ensure persistence in the target system or to jump from one system to another.
TONEDAF: It is a backdoor that communicates with the Command and Control (C&C or C2) server via HTTP to receive and execute commands.
VALUEVAULT: It is a built-in browser credential theft tool.
LONGWATCH: It is located in C&C under the name WinNTProgram.exe. It is a keylogger that records all keystrokes into a log.txt file.
PICKPOCKET: Available on the server in both 64- and 32-bit variants, PICKPOCKET is a credential theft tool designed to dump user's website login credentials from Chrome, Firefox, and Internet Explorer. The vehicle has previously been observed used in a Mandiant incident and has only been used by APT34 to date.
POWRUNER: It is a PowerShell script that sends and receives commands to the C2 server.
BONDUPDATER: It is a PowerShell backdoor. It was first seen in a cyber incident targeting a Middle Eastern government organization in November 2017. Again, in August 2018, it was seen that an updated version was used in an attack using spear-phishing e-mails against a government organization.
QUADAGENT: It is a PowerShell backdoor used by APT34.
What Are the Attack Vectors Used by APT34?
Like every APT group, APT34 uses similar vectors when attacking its targets. The attack vectors used constitute the characteristic features of APT34. The attack vectors commonly used in cyber attacks carried out by OILRIG to date are given in the table below.
| TACTICAL NAME | TACTICAL ID | EXPLANATION |
|---|---|---|
| Discovery | T1087 | APT34 frequently used the commands “net user, net user/domain, net /group 'domain admins' /domain and net groups 'domain admins'/” to discover user accounts on the target system. |
| T1046 | Used SoftPerfect Network Scanner and GOLDIRONY tools for network-based discovery studies. | |
| T1201 | Used net.exe in a script with net user / domain to find the password policy of a domain. | |
| T1069 .001 | Used net groups administrators to find local administrators on compromised systems. | |
| T1069.002 | Used net group / domain, net group 'domain admins' / domain and net group “Exchange Trusted Subsystem” / domain to find domain group permission settings. | |
| T1012 | To query the registry, the victim used the “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” reg query. | |
| T1082 – T1016 – T1033 – T1057 | He ran the hostname and systeminfo, ipconfig, whoami, tasklist commands on the victim machine. | |
| T1049 | He used the “netstat -an” command on a victim's machine to get a list of network connections. | |
| T1007 | It used “sc query” on a victim's machine to gather information about the services. | |
| Command and Control | T1071 .001 | It used an http command and control server to execute APT34 commands. |
| T1071.004 | DNS was used by the group for use in command and control operations. | |
| T1573 .002 | The Plink utility and other tools were used to create tunnels to C2 servers. | |
| T1008 | If the APT34 malware ISMAgent cannot reach the C2 server via HTTP, it falls back to the DNS tunneling mechanism. | |
| T1105 | It downloaded remote files to victim systems. | |
| Credential Access | T1110 | He used brute force techniques to obtain credentials. |
| T1003 | He used credential dumping tools such as LaZagne and Mimikatz to steal credentials of accounts logged into the compromised system and Outlook Web Access. | |
| T1555.003 | He used tools called VALUEVAULT and PICKPOCKET to dump passwords from web browsers. | |
| T1056 .001 | He used keylogging tools called KEYPUNCH and LONGWATCH. | |
| Execution | T1059 | It used various types of scripts for execution. |
| T1059.001 | Used PowerShell scripts to decode file contents, use a macro, run PowerShell command. | |
| T1059.003 | It used macros to distribute malware such as QUADAGENT and OopsIE. | |
| T1204 .002 | It delivered macro-enabled documents that required targets to click the “activate content” button to activate the payload in the system. | |
| T1204.001 | It provided malicious links to enable execution on the target system. | |
| T1047 | Used WMI for execution. | |
| Defense Evasion | T1140 | The APT34 macro executed a PowerShell command to decode the file contents. He also used certutil to decode base64 encoded files on victims. |
| T1070 .004 | After APT34 executed the malicious code, it deleted files associated with the code that were no longer needed to bypass antivirus software. | |
| T1027 | It encrypted and encoded data with malware, including the use of Base64. | |
| T1027.005 | It tested malware samples to determine AV detection and then modified the samples to ensure AV evasion. | |
| T1078 | A victim used compromised credentials to access other systems on their network. | |
| Exfiftration | T1048 .003 | It leaked data via FTP separately from the primary C2 channel via DNS. |
| Persistence | T1133 | It uses remote services such as VPN, Citrix or OWA to stay in an environment. |
| T1137.004 | He abused the Outlook Home Page feature for persistence. It also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse. | |
| T1566 .001 | Using compromised and/or fake email accounts, it sent deceptive emails containing malicious attachments to potential victims. | |
| T1566.003 | He used Linkedin to send phishing links. | |
| T1053 .005 | It created scheduled tasks that run a VBScript to run a payload on victim machines. | |
| T1218 .001 | It used a CHM payload to install and execute malware. | |
| T1552 .001 | A victim used compromised credentials to access other systems on their network. | |
| Lateral Movement | T1021.004 | He used Putty, an SSH/Telnet program, to access compromised systems. |
| T1021.001 | It used Remote Desktop Protocol (RDP) for horizontal movement. The group also used RDP to create tunnels into the environment. | |
| Collection | T1119 | Used automated collection techniques to collect internal data. |
| T1056.001 | He used keylogger tools called KEYPUNCH and LONGWATCH. | |
| T1113 | It has a tool called CANDYKING to capture a screenshot of the user's desktop. |
IOC Information for APT34
Information about APT34's malware, URL addresses, IP addresses and more is provided below.
Files Related to APT34
| File name | MD5 Hash |
|---|---|
| CVE-2017-11882 exploit document | A0E6933F4E0497269620F44A083B2ED4 |
| b.txt | 9267D057C065EA7448ACA1511C6F29C7 |
| v.txt/v.vbs | B2D13A336A3EB7BD27612BE7D4E334DF |
| dUpdateCheckers.base | 4A7290A279E6F2329EDD0615178A11FF |
| hUpdateCheckers.base | 841CE6475F271F86D0B5188E4F8BC6DB |
| cUpdateCheckers.bat | 52CA9A7424B3CC34099AD218623A0979 |
| dUpdateCheckers.ps1 | BBDE33F5709CB1452AB941C08ACC775E |
| hUpdateCheckers.ps1 | 247B2A9FCBA6E9EC29ED818948939702 |
| GoogleUpdateschecker.vbs | C87B0B711F60132235D7440ADD0360B0 |
| CVE-2017-0199 exploit document | 63D66D99E46FB93676A4F475A65566D8 |
| v7-hpserver.online.hta | E6AC6F18256C4DDE5BF06A9191562F82 |
| dUpdateCheckers.base | 3C63BFF9EC0A340E0727E5683466F435 |
| hUpdateCheckers.base | EEB0FF0D8841C2EBE643FE328B6D9EF5 |
| cUpdateCheckers.bat | FB464C365B94B03826E67EABE4BF9165 |
| dUpdateCheckers.ps1 | 635ED85BFCAAB7208A8B5C730D3D0A8C |
| hUpdateCheckers.ps1 | 13B338C47C52DE3ED0B68E1CB7876AD2 |
| googleupdateschecker.vbs | DBFEA6154D4F9D7209C1875B2D5D70D5 |
| dupdatechecker.doc | D85818E82A6E64CA185EDFDDBA2D1B76 |
| dupdatechecker.exe | C9F16F0BE8C77F0170B9B6CE876ED7FB |
| v7-anyportals.hta | EAF3448808481FB1FDBB675BC5EA24DE |
| dUpdateCheckers.base | 42449DD79EA7D2B5B6482B6F0D493498 |
| hUpdateCheckers.base | A3FCB4D23C3153DD42AC124B112F1BAE |
| dUpdateCheckers.ps1 | EE1C482C41738AAA5964730DCBAB5DFF |
| hUpdateCheckers.ps1 | E516C3A3247AF2F2323291A670086A8F |
Domain Information with APT34
| Domain | Explanation |
|---|---|
| hxxp://mumbai-m[.]site | POWRUNER C2 |
| hxxp://dns-update[.]club | Malware Staging Server |
| proxycheker[.]pro | C2 |
| hpserver[.]online | C2 |
| anyportals[.]com | C2 |
IP Addresses Associated with APT34
| IP Address | Explanation |
|---|---|
| 46.105.221.247 | Has resolved mumbai-m[.]site & hpserver[.]online |
| 148.251.55.110 | Has resolved mumbai-m[.]site and dns-update[.]club |
| 185.15.247.147 | Has resolved dns-update[.]club |
| 145.239.33.100 | Has resolved dns-update[.]club |
| 82.102.14.219 | Has resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com |
| 94.23.172.164:80 | Malware Staging Server |
Attack on Turkey by APT34
APT34 in October 2016 Türkiye'eat in phishing attack found. He placed malware in the Excel file and sent this Excel file to his targets via e-mail. When the Users.xls file is run and macros are enabled, the victim is presented with the following fake document.
Below are the Webshell URL addresses in the Türkiye Attack:
APT34's Leaked Data
In April 2019, the source codes of APT34's cyber espionage tools were leaked via Telegram by a hacker group called Lab Dookhtegan.
Additionally, Lab Dookhtegan destroyed data stored on mainframes used by APT34 members. The document content screenshots below prove the previous speculation is correct.
Middle East Attack targets:
Some attack tools:
Some Activities of APT34
May 2016: It has attacked Middle Eastern countries by sending phishing emails and exploiting the Office macro vulnerability to inject backdoors.
October 2016: Helminth used its backdoor to attack Qatar, Turkey, Israel and the United States.
January 2017: It attacked Israeli financial and postal institutions by sending malware on behalf of Oxford University.
April 2017: It has updated its attack vectors in order to bypass the detection systems of antivirus software. Researchers have confirmed that the attacks were well organized and highly professional.
July 2017: Updated the ISMAgent tool, a variant of ISMDoor, to provide a backdoor.
October 2017: It has developed Agent Injector to distribute and install the ISMAgent trojan, also known as ISMInjector.
December 2017: It carried out attacks against Middle Eastern countries using the Microsoft Office vulnerability (CVE-2017-11882).
January 2018: He used OopsIE to attack insurance and financial institutions in the Middle East.
May 2018: He carried out attacks against Middle Eastern countries using the Powershell backdoor (QUADAGENT) and impersonated a government official using stolen username/password pairs.