What is APT34 ?

Learn more about the advanced persistance threat group APT34

Threat Actor Profile

Suspected attribution: Iran
Active since : 2014
Aliases : OilRig, Helix Kitten, Evasive Serpens,Cobalt Gypsy, IRN2
Target Sectors: Financial, government, energy and Power, aerospace chemical, and telecommunications
Target Regions: Primarily Middle East
Associated malware: POWBAT, POWRUNER, BONDUPDATER
Methods: Zero-days, spearphishing, malware
Purpose: Cyberespionage, cyberwarfare

Overview

APT34 (also known as Helix Kitten or OilReg) is a hacker group identified by CrowdStrike as iranian, operating primarily in the Middle East by targeting organizations and many industries in this region such as aerospace, energy, financial, government, hospitality and telecommunications industry. In 2018, Helix Kitten actors were observed targeting entities mostly across the Middle Eastern region. Targets appeared to be located in Bahrain and Kuwait. These incidents involved spear-phishing attacks, a principal characteristic of Helix Kitten, included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure.
OilRig, Cobalt Gypsy, Helminth, APT34, IRN2 are community names associated with this actor.

Motivations

The APT34’s attacks align with the national interests of Iran which are economic, geopolitical, military, financial and political interests. The cyber espionage compaigns conducted by This adversary group increased with the increasing of geopolitical tensions in the Middle East to press decision makers and key organizations that may have information that furthers Iran’s economic and national security goals.
The infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests lead FireEye to assess that APT34 acts on behalf of the Iranian government.

Techniques

The APT34 group primarily rely on social engineering to exploit the human rather than software vulnerabilities. The group uses also uses custom DNS Tunneling protocols for command and control (C2) and data exfiltration,Custom web-shells and backdoors used to persistently access servers Microsoft Excel macros, PowerShell-based exploits to gain access to its targets. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system.

📌 Some Techniques used By APT34 group according to Mitre Att&ck:

Phishing:
Spearphishing Attachment: OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.
Spearphishing Link: OilRig has sent spearphising emails with malicious links to potential victims.
Spearphishing via Service: OilRig has used LinkedIn to send spearphishing links.
Masquerading: The group has used .doc file extensions to mask malicious executables.
Remote Services (SSH): The group has used Putty to access compromised systems.
Drive-by Compromise: OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.
Brute Force: to obtain credentials.

📌 Softwares and malicious programs used by APT34:

BONDUPDATER: a PowerShell backdoor.
QUADAGENT: a PowerShell backdoor.
POWRUNER: a PowerShell script that sends and receives commands to and from the C2 server.
SEASHARPEE: a Web shell.
SideTwist: a C-based backdoor that has been used since at least 2021.
Helminth: a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.
LaZagne: a post-exploitation, open-source tool used to recover stored passwords on a system.
certutil: a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.

Indicators of Compromise

📌 Network Indicators

185[.]56[.]91[.]61
46[.]165[.]246[.]196
46[.]4.69[.]52
185[.]236[.]76[.]80
185[.]236[.]77[.]17
146[.]112[.]61[.]108
23[.]106[.]215[.]76
95[.]168[.]176[.]172
172[.]241[.]140[.]238
23[.]19[.]226[.]69
38[.]132[.]124[.]153
176[.]9.164[.]215
88[.]99[.]246[.]174
190[.]2.142[.]59
103[.]102[.]44[.]181
217[.]182[.]217[.]122
hxxps://202[.]183[.]235[.]31/owa/auth/signout[.]aspx
hxxps://1[.]202[.]179[.]13/owa/auth/error1[.]aspx
hxxps://114[.]198[.]235[.]22/owa/auth/login[.]aspx
hxxps://209[.]88[.]89[.]35/owa/auth/logout[.]aspx
hxxps://mail[.]alfuttaim[.]ae/owa/auth/change_password[.]aspx
hxxps://email[.]ssc[.]gov[.]jo/owa/auth/signin[.]aspx
etc …

📌 Endpoint Indicators ( Hashes of leaked Hacking tools )
SHA256

27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
Fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

Conclusion

Organizations should be aware of the APT34 techniques used to target their systems, and conduct a Phishing awareness training to educate the employees on how to spot and report suspected phishing attempts, to protect themselves and the company from cybercriminals like APT34 Group.
Indicators of compromise (IoC) are clues and evidence during a cybersecurity incident. Cybersecurity experts especially threat hunting and threat intelligence teams should hunt for these indicators then use them to confirm cyberattack occurrences and deploy these indicators within their Endpoint Detection and Response (EDR) Tool to build cyber-defense strategies and help secure the environment from future attacks.