Join the Webinar | Strong Protection Against Cyber Threats

Iranian Backed APT Group APT34: OILRIG

APT34, Iraniangenerally conducts cyber attacks in accordance with the strategic interests of Middle Eastand therefore among its goals TürkiyeThere is also. It is reported that the group has been active since 2014. In April 2019, a lot of information about APT34 was leaked via telegram.

Who is APT34?

APT34; at the same time OILRIG, HELIX KITTEN, IRN2 It is also known by names such as. In fact, it was examined in two separate groups, APT34 and OILRIG, but they were combined due to the overlap of their activities. They are known to be active as a cluster of cyber espionage and attacks since 2014.

Which Countries Support APT34?

APT34; Due to the use of infrastructure related to Iranian operations, timing and acting in accordance with Iran's national interests Iranian origin It has been described as a hacker group. Also, a group of Iranian origin APT33 It has carried out attacks against many organizations that have also been targeted by . In line with all this information, based on the use of Iranian infrastructure Iranian government It is considered that he is working on behalf of


What are APT34's Target Sectors?

The main target audience of the APT34 group is that they act with a mission that is in line with Iran's geopolitical position, economic needs and strategic interests and that will benefit Iran. Middle East countries. Therefore Türkiye is also among the targets of this hacker group. Except for Middle Eastern countries; Countries such as the USA, England and Germany are also among the targets of the APT34 group. As a threat group institution and organization:

  • finance
  • Telecommunication
  • chemical industry
  • Critical infrastructure systems
  • energy institutions
  • government agencies
  • Media

It has targeted various areas such as and generally directed its activities to this field.

What Malware Does APT34 Use?

In addition to tools and software developed for different purposes and used by security experts, APT34 also uses various backdoor software. Malware with different features is used by the group to ensure persistence in the target system or to jump from one system to another.

TONEDAF: It is a backdoor that communicates with the Command and Control (C&C or C2) server via HTTP to receive and execute commands.

VALUEVAULT: It is a built-in browser credential theft tool.

LONGWATCH: It is located in C&C under the name WinNTProgram.exe. It is a keylogger that records all keystrokes into a log.txt file.

PICKPOCKET: Available on the server in both 64- and 32-bit variants, PICKPOCKET is a credential theft tool designed to dump user's website login credentials from Chrome, Firefox, and Internet Explorer. The vehicle has previously been observed used in a Mandiant incident and has only been used by APT34 to date.

POWRUNER: It is a PowerShell script that sends and receives commands to the C2 server.

BONDUPDATER: It is a PowerShell backdoor. It was first seen in a cyber incident targeting a Middle Eastern government organization in November 2017. Again, in August 2018, it was seen that an updated version was used in an attack using spear-phishing e-mails against a government organization.

QUADAGENT: It is a PowerShell backdoor used by APT34.

What Are the Attack Vectors Used by APT34?

Like every APT group, APT34 uses similar vectors when attacking its targets. The attack vectors used constitute the characteristic features of APT34. The attack vectors commonly used in cyber attacks carried out by OILRIG to date are given in the table below.

DiscoveryT1087APT34 frequently used the commands “net user, net user/domain, net /group 'domain admins' /domain and net groups 'domain admins'/” to discover user accounts on the target system.
T1046Used SoftPerfect Network Scanner and GOLDIRONY tools for network-based discovery studies.
T1201Used net.exe in a script with net user / domain to find the password policy of a domain.
T1069 .001Used net groups administrators to find local administrators on compromised systems.
T1069.002Used net group / domain, net group 'domain admins' / domain and net group “Exchange Trusted Subsystem” / domain to find domain group permission settings.
T1012To query the registry, the victim used the “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” reg query.
T1082T1016T1033T1057He ran the hostname and systeminfo, ipconfig, whoami, tasklist commands on the victim machine.
T1049He used the “netstat -an” command on a victim's machine to get a list of network connections.
T1007It used “sc query” on a victim's machine to gather information about the services.
Command and ControlT1071 .001It used an http command and control server to execute APT34 commands.
T1071.004DNS was used by the group for use in command and control operations.
T1573 .002The Plink utility and other tools were used to create tunnels to C2 servers.
T1008If the APT34 malware ISMAgent cannot reach the C2 server via HTTP, it falls back to the DNS tunneling mechanism.
T1105It downloaded remote files to victim systems.
Credential AccessT1110He used brute force techniques to obtain credentials.
T1003He used credential dumping tools such as LaZagne and Mimikatz to steal credentials of accounts logged into the compromised system and Outlook Web Access.
T1555.003He used tools called VALUEVAULT and PICKPOCKET to dump passwords from web browsers.
T1056 .001He used keylogging tools called KEYPUNCH and LONGWATCH.
ExecutionT1059It used various types of scripts for execution.
T1059.001Used PowerShell scripts to decode file contents, use a macro, run PowerShell command.
T1059.003It used macros to distribute malware such as QUADAGENT and OopsIE.
T1204 .002It delivered macro-enabled documents that required targets to click the “activate content” button to activate the payload in the system.
T1204.001It provided malicious links to enable execution on the target system.
T1047Used WMI for execution.
Defense EvasionT1140The APT34 macro executed a PowerShell command to decode the file contents. He also used certutil to decode base64 encoded files on victims.
T1070 .004After APT34 executed the malicious code, it deleted files associated with the code that were no longer needed to bypass antivirus software.
T1027It encrypted and encoded data with malware, including the use of Base64.
T1027.005It tested malware samples to determine AV detection and then modified the samples to ensure AV evasion.
T1078A victim used compromised credentials to access other systems on their network.
ExfiftrationT1048 .003It leaked data via FTP separately from the primary C2 channel via DNS.
PersistenceT1133It uses remote services such as VPN, Citrix or OWA to stay in an environment.
T1137.004He abused the Outlook Home Page feature for persistence. It also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.
T1566 .001Using compromised and/or fake email accounts, it sent deceptive emails containing malicious attachments to potential victims.
T1566.003He used Linkedin to send phishing links.
T1053 .005It created scheduled tasks that run a VBScript to run a payload on victim machines.
T1218 .001It used a CHM payload to install and execute malware.
T1552 .001A victim used compromised credentials to access other systems on their network.
Lateral MovementT1021.004He used Putty, an SSH/Telnet program, to access compromised systems.
T1021.001It used Remote Desktop Protocol (RDP) for horizontal movement. The group also used RDP to create tunnels into the environment.
CollectionT1119Used automated collection techniques to collect internal data.
T1056.001He used keylogger tools called KEYPUNCH and LONGWATCH.
T1113It has a tool called CANDYKING to capture a screenshot of the user's desktop.

IOC Information for APT34

Information about APT34's malware, URL addresses, IP addresses and more is provided below.

Files Related to APT34

File nameMD5 Hash
CVE-2017-11882 exploit documentA0E6933F4E0497269620F44A083B2ED4
CVE-2017-0199 exploit document63D66D99E46FB93676A4F475A65566D8

Domain Information with APT34

hxxp://mumbai-m[.]sitePOWRUNER C2
hxxp://dns-update[.]clubMalware Staging Server

IP Addresses Associated with APT34

IP AddressExplanation resolved mumbai-m[.]site & hpserver[.]online resolved mumbai-m[.]site and dns-update[.]club resolved dns-update[.]club resolved dns-update[.]club resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com Staging Server

Attack on Turkey by APT34

APT34 in October 2016 Türkiye'eat in phishing attack found. He placed malware in the Excel file and sent this Excel file to his targets via e-mail. When the Users.xls file is run and macros are enabled, the victim is presented with the following fake document.

Below are the Webshell URL addresses in the Türkiye Attack:

APT34's Leaked Data

In April 2019, the source codes of APT34's cyber espionage tools were leaked via Telegram by a hacker group called Lab Dookhtegan.

Additionally, Lab Dookhtegan destroyed data stored on mainframes used by APT34 members. The document content screenshots below prove the previous speculation is correct.

Middle East Attack targets:

Some attack tools:

Some Activities of APT34

May 2016: It has attacked Middle Eastern countries by sending phishing emails and exploiting the Office macro vulnerability to inject backdoors.

October 2016: Helminth used its backdoor to attack Qatar, Turkey, Israel and the United States.

January 2017: It attacked Israeli financial and postal institutions by sending malware on behalf of Oxford University.

April 2017: It has updated its attack vectors in order to bypass the detection systems of antivirus software. Researchers have confirmed that the attacks were well organized and highly professional.

July 2017: Updated the ISMAgent tool, a variant of ISMDoor, to provide a backdoor.

October 2017: It has developed Agent Injector to distribute and install the ISMAgent trojan, also known as ISMInjector.

December 2017: It carried out attacks against Middle Eastern countries using the Microsoft Office vulnerability (CVE-2017-11882).

January 2018: He used OopsIE to attack insurance and financial institutions in the Middle East.

May 2018: He carried out attacks against Middle Eastern countries using the Powershell backdoor (QUADAGENT) and impersonated a government official using stolen username/password pairs.


Categories Articles