A new malware strain, Menorah, has been linked to the notorious Iran-linked APT34 advanced persistent threat (APT) group. APT34 is known for its covert cyber espionage activities primarily within the Middle East and has once again emerged on the radar, this time employing a phishing attack.
Researchers from cybersecurity firm Trend Micro analysed the group’s activities and detected a malicious document used as a part of a highly targeted phishing attack by APT34. This malicious document, named ‘MyCv.doc’, initially appeared to be a license registration form related to the Seychelles Licensing Authority.
However, a significant detail emerged during the investigation: the document contained pricing information in Saudi Riyal, strongly suggesting that the intended victim was an organisation within the Kingdom of Saudi Arabia.
Upon closer analysis, researchers identified that the malicious document was responsible for deploying a new strain of malware dubbed ‘Menorah’. This malware was detected by the Trend Micro team as Trojan.W97M.SIDETWIST.AB demonstrated that the group is constantly evolving its capabilities. The malware was specially designed for cyber espionage purposes and is capable of the following:
- Identifying the victim’s device
- Uploading or skimming the files
- Downloading on the victim’s device
- Execute shell commands
Infection routine and malware analysis
The infection chain begins with the malicious document, which drops a hardcoded malware into the system upon being opened by the victim. This malware is then responsible for creating a scheduled task to ensure persistence.
Specifically, the malware drops a .NET-based executable named ‘Menorah.exe’ into the <%ALLUSERSPROFILE%\Office356> directory and sets up a scheduled task called “OneDriveStandaloneUpdater” to execute Menorah.exe at specified intervals.
Compared to the previous variants of SideTwist malware associated with APT34, this new variant exhibits improved evasion techniques. It conducts a specific argument check during execution to ensure proper operation and detect if it runs in an analytic environment like a sandbox. If such an environment is detected, the malware will terminate itself.
The malware communicates with a command and control (C&C) server, which was identified as http[:]//tecforsc-001-site1[.]gtempurl.com/ads.asp. It creates a timer to facilitate communication with the C&C server at regular intervals.
Additionally, the malware generates a unique fingerprint for the compromised system by combining the machine name and username, encoding it in various ways and sending it to the C&C server in HTTP requests.
While the techniques and infection are not as sophisticated as their previous attacks, they remain effective.
In the News: Friend.tech vulnerabilities risk user data and chats