Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations.
“Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated
The experts believe that the attacker was launched by the cyber-espionage group APT34 (aka
The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware.
According to Intezer, the attackers used a phishing document masquerading as an employee satisfaction survey for employees at the US government contractor Westat.
“The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”.” continues the analysis.
“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.”
Both malware used in this campaign (tracked as TONEDEAF 2.0 and VALUEVAULT 2.0) were also employed in the campaign observed in July 2019, but they include major updates that changes were developed for this specific attack.
The C2 domain (manygoodnews[.]com) is still active and was created 4 months ago, experts added that a certificate was issued for the website just a month ago, a circumstance that suggests the campaign is still ongoing.
The TONEDEAF backdoor communicates with its C&C via HTTP, but version 2.0 uses a revamped communication protocol. The new variant of the malware only implements shell execution capabilities.
TONEDEAF 2.0 was improved to evade detection and implements dynamic importing, string decoding, and a new technique to deceive its victims into believing it is a legitimate, broken app.
TONEDEAF 2.0 used HTTP for C2 communication, but experts noticed it is using a custom encoding and handshake mechanisms.
The experts believe that attackers also employed VALUEVAULT implant in this campaign, they noticed that a user from L
“This VALUEVAULT takes a more
Another evidence collected by the researchers is that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.
“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally off,” concludes Intezer.
(SecurityAffairs – APT34, hacking)