APT34 is an Iranian threat actor that targets both the business sector and government networks. APT34 leverages advanced social engineering exploits for convincing users into compromising their systems, after which, the group deploys backdoor Trojans and supporting spyware. Affected users should disable network connections and delete threats related to APT34 with dedicated anti-malware tools as soon as possible.
Masking Crime with Job Opportunities
E-mail is a much-trafficked infection vector for any state-sponsored group of hackers, as per the histories of well-known entities like APT33, APT10, and North Korea's Lazarus Group. APT34, an Iran-based threat actor, is showing one of the ways criminals can circumvent e-mail security: switching to social networks. Although the platform change is unusual, the tactic is one of the usual ones – fake job offers from an 'industry insider.'
The tactic begins with a fraudulent LinkedIn page for a known lecturer at Cambridge University, with the website's messaging system serving as the means of contact between APT34's tactic artist and the victims. Solicitations for resumes segue into download links for a corrupted Excel spreadsheet that Tonedeaf – a traditional backdoor Trojan. The infection positions APT34 better for gaining control over the system and dropping more-specialized threats, such as data-stealing spyware.
APT34's toolkit includes more than just Tonedeaf, however. Malware experts note that this group is familiar with the deployment of both third-party and custom Trojans. Some examples include Pickpocket, which collects Web-browsing information, the ValueVault password-dumper and the LongWatch keylogger.
Staying Off the Phishing Hook
Phishing tactics are a universal means of turning psychological warfare into its digital equivalent. Users can render themselves less at risk by learning about the traditional formats and lures of these attacks, which can employ, as APT34 shows, victim-specific, hand-crafted content. Malware researchers also advise implementing general security measures against these attacks, regardless of how they arrive. Such steps include:
- Updating software with appropriate security fixes will cut off many, if not all, vulnerabilities that corrupted documents, spreadsheets, and other files can leverage against you.
- Disabling macros and leaving them inactive will eliminate most opportunities involving the misuse of concealed scripts for drive-by-download attacks.
- Users should double-check links for potential obfuscation, such as 'shortening,' which can obscure the identity of a corrupted website. Typo-squatting, or using a domain that's similar to a legitimate one (such as 'Yotuube.com' versus 'Youtube.com') is another, possible tactic.
APT34 infections can lead to attackers downloading additional files, initiating system commands through a shell interface, and other risks. Users should, accordingly, disconnect from the Internet and disinfect their PCs with compatible anti-malware services at the first opportunity.
As more and more users learn the importance of regarding e-mails with due consideration, criminals adapt to alternate avenues for their attacks. Whether you're getting a file from a social network, an e-mail, or a torrent, its safety is always a factor worth considering.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to APT34 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.