This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report
Summary
We examined today’s variants of SideTwist, the backdoor software that the Iranian state-sponsored threat actor, also known as APT34, aka OilRig, has been using in its attack campaigns since 2021. We revealed their capabilities, purposes, and similarities with the SideTwist malware.
You can also have information and ideas about the similarities from past to present in the attack campaigns carried out by APT 34, which operates mostly in the Middle East region on espionage and cyber espionage.
Although SideTwist backdoor software is generally used to seize sensitive information from government institutions by organizing phishing campaigns and to maintain access to compromised networks, APT 34 also appears to continue to strengthen its arsenal and improve its capabilities.
Overview
Filename | MyCV.doc |
Filetype | MS Word Document |
Written Language | N/A |
MD5 | 64f8dfd92eb972483feaf3137ec06d3c |
SHA1 | 3d71d782b95f13ee69e96bcf73ee279a00eae5db |
SHA256 | 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618 |
First Seen / Detection Date | 2023-07-08 |
Initial Infection Vector | Phishing Email |
Filename | Menorah.exe |
Filetype | Win32 EXE |
Written Language | .NET |
MD5 | 868da692036e86a2dc87ca551ad61dd5 |
SHA1 | c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a |
SHA256 | 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345 |
First Seen / Detection Date | 2023-07-08 |
Initial Infection Vector | Phishing Document |
Filename | GGMS Overview.doc |
Filetype | MS Word Document |
Written Language | N/A |
MD5 | 056378877c488af7894c8f6559550708 |
SHA1 | c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a |
SHA256 | c2a0d899dd535d7cf0729b3307d054780985e0cebd21cca5614c1417225c86ee |
First Seen / Detection Date | 2023-07-19 |
Initial Infection Vector | Phishing Email |
Filename | SystemFailureReporter.exe |
Filetype | Win64 EXE |
Written Language | C/C++ |
MD5 | 5e0b8bf38ad0d8c91310c7d6d8d7ad64 |
SHA1 | eb3a3fa719328e662d573774181cbd0bc1be1920 |
SHA256 | 7b83ca04240ca8769eb0f01a873674aa2891a4aa702d5cf632e7ecc284c38bc9 |
First Seen / Detection Date | 2023-06-16 |
Initial Infection Vector | Phishing Document |
Similarities to SideTwist Backdoor
The similarities we detected in the file samples and campaign details obtained in the latest phishing campaigns carried out by APT 34 are listed below. These similarities consist of functional similarities between the actions taken by the threat actor since the first entry into the target system using the phishing document and the final payloads enabling communication between the victim and the threat actor.
The SideTwist Backdoor malware detected in 2021 was written in the C programming language and compiled with Microsoft Visual C/C++. However, its second variant, although still C-based, was compiled with GCC with changes that increased its functionality. The Menorah variant differs greatly and was developed with .NET.
While SideTwist only has the /search/ URL path for the threat actor to interact with the target system, the 2nd variant we examined also has the /getFile/ path. However, we did not observe these URL paths in the .NET variant detected under Menorah(…)
Mitigation Strategies
- Deploy robust antivirus and anti-malware solutions to detect and block malware like SideTwist. Ensure that these tools are regularly updated to recognize new threats.
- Educate employees about email phishing attacks, as these are common delivery methods for malware. Use email filtering and anti-phishing tools to block malicious emails.
- Conduct regular cybersecurity training for employees to teach them about the dangers of malware and how to recognize suspicious activities or emails.
- Use application whitelisting to allow only approved and known applications to run on your systems. This can prevent unauthorized and potentially malicious software from executing.
- Implement network monitoring and intrusion detection systems to detect and respond to malicious activity in real-time.
Download YARA Rules and IoCs from GitHub.
This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report