In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE. At the time of the report, the threat actor carried out a cyber espionage campaign by redirecting DNS traffic from domains owned by the Lebanon government to
In April 2019, Cisco Talos discovered evidence of the link between APT34 (
Experts from Cybaze/
In this campaign, the APT group may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, we found some evidence in the communication logic.
This new implant has some similarities with the samples of Karkoff involved in past campaigns, including:
Moreover, the new Karkoff implant implements a new reconnaissance logic in order to drop the final payload only to specific targets, gathering system information, the domain name, hostname and running Operating System.
A few hours before this report has been publicly disclosed, malware researchers at the Italian cyber security firm Telsy also published their analysis.
Both reports are related to the same sample, but let me suggest reading both analyses to have a clear vision of the threat actors and all the technical details related to the implant. The report published by Telsy is available here: LINK.
|Threat||APT34 Karkoff macro loader|
|Brief Description||Malicious Excel macro|
Table 1. Sample information
The Malware is an Excel Document with a malicious macro embedded. The following image (Fig:1) shows the highlights of the extracted code.
Fig.1. Malicious Macro: drop and execute monitor.exe
The macro extracts a custom base64 code from the body of the file and, after a decoding routine, it downloads an executable file into the following path “C:\Users\public\.Monitor\monitor.exe”. Persistence is assured by scheduling a new task named SystemExchangeService. The following image shows the task ubiety.
Fig.2.Persistence with SystemExchangeService
The extracted payload is summed up as follows: :
Fig.3.Static details of monitor.exe
The extracted payloads were not obfuscated at all. This made a simple and quick analysis.
As shown in the above figure, the creation date is on
Fig.4. details of compromised mail exchange server parameters
As the first step, as shown in Fig 4, the sample tries to connect to its own command and control server, which happens to be an Exchange mail server belonging to the Lebanon government. Once it connects, the C2 answers back with the list of available commands as attachments in a replied e-mail. Fig 5 shows the GetList function from where we might appreciate the
Following our analysis, we noticed the malware tries to connect back and forth to its C2 to get authorization and to share detailed information about the infected system. It used “UserAgent” of the exchange client. Fig 6 shows details on what is hijacked from the victim’s side.
Another evidence is the domain registration of the second command control: it has been registered on January, 27, probably indicating the date of the beginning of the new attack.
Fig.7. details of domain registration godoycrus[.com
APT34 is still active, and this campaign against the Lebanon government demonstrates it. The new version of the Karkoff malware is the demonstration that the Iran-linked APT34 cyberespionage group continues to improve its arsenal. The sample involved in this campaign implements new reconnaissance capabilities, it implements a covert and effective C2 communication channel through the use of the Microsoft Exchange Protocol.
The Group likely exploited or brute-forced a Lebanon related mail account with another tool of its arsenal, the JASON tool. The Jason tool was leaked at the end of 2019, it could be used by attackers to carry out bruteforce attacks on exchange servers.
Technical details about the Karkoff implant, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by researchers at Cybaze-Yoroi