Threat Watch

Iran Linked APT Using LinkedIn to Spread Malware

APT34: The Iranian linked APT34, a group specializing in cyber-espionage, has been linked to a new attack style, using the popular social media program LinkedIn to spread malware. The group has carefully crafted accounts and pages on LinkedIn, pretending to be security researchers and gaining the trust of other users. Once the group has gained the trust of their connections on the social media site, they will share malicious documents and links, tricking those connections into opening them and thus infecting the victim with the malware. The malware being used includes three new families and a reappearance of the Pickpocket malware, which has been used by APT34 in the past. The group began by asking for resumes for potential job openings, then moved on to sharing the malware through the messaging feature within LinkedIn. The malware was seen being shared through a file named ERFT-Details.xls. Tonedeaf, one of the new malwares that was seen, used a single command and control server using HTTP GET and POST requests which can collect system information and upload and download files as well as arbitrary shell command code. The other malware included Longwatch, ValueVault and the PickPocket variant, which is used as a browser credential-theft tool.

ANALYST NOTES

With Iran trying to advance its cyber-warfare capabilities, it is likely that we will see them continue to put out new malware and find new ways to share it that is less commonly used.