APT34
APT34 is an Iranian threat actor that targets both the business sector and government networks. APT34 leverages advanced social engineering exploits for convincing users into compromising their systems, after which, the group deploys backdoor Trojans and supporting spyware. Affected users should disable network connections and delete threats related to APT34 with dedicated anti-malware tools as soon as possible.
Masking Crime with Job Opportunities
E-mail is a much-trafficked infection vector for any state-sponsored group of hackers, as per the histories of well-known entities like APT33, APT10, and North Korea's Lazarus Group. APT34, an Iran-based threat actor, is showing one of the ways criminals can circumvent e-mail security: switching to social networks. Although the platform change is unusual, the tactic is one of the usual ones – fake job offers from an 'industry insider.'
The tactic begins with a fraudulent LinkedIn page for a known lecturer at Cambridge University, with the website's messaging system serving as the means of contact between APT34's tactic artist and the victims. Solicitations for resumes segue into download links for a corrupted Excel spreadsheet that Tonedeaf – a traditional backdoor Trojan. The infection positions APT34 better for gaining control over the system and dropping more-specialized threats, such as data-stealing spyware.
APT34's toolkit includes more than just Tonedeaf, however. Malware experts note that this group is familiar with the deployment of both third-party and custom Trojans. Some examples include Pickpocket, which collects Web-browsing information, the ValueVault password-dumper and the LongWatch keylogger.
Staying Off the Phishing Hook
Phishing tactics are a universal means of turning psychological warfare into its digital equivalent. Users can render themselves less at risk by learning about the traditional formats and lures of these attacks, which can employ, as APT34 shows, victim-specific, hand-crafted content. Malware researchers also advise implementing general security measures against these attacks, regardless of how they arrive. Such steps include:
- Updating software with appropriate security fixes will cut off many, if not all, vulnerabilities that corrupted documents, spreadsheets, and other files can leverage against you.
- Disabling macros and leaving them inactive will eliminate most opportunities involving the misuse of concealed scripts for drive-by-download attacks.
- Users should double-check links for potential obfuscation, such as 'shortening,' which can obscure the identity of a corrupted website. Typo-squatting, or using a domain that's similar to a legitimate one (such as 'Yotuube.com' versus 'Youtube.com') is another, possible tactic.
APT34 infections can lead to attackers downloading additional files, initiating system commands through a shell interface, and other risks. Users should, accordingly, disconnect from the Internet and disinfect their PCs with compatible anti-malware services at the first opportunity.
As more and more users learn the importance of regarding e-mails with due consideration, criminals adapt to alternate avenues for their attacks. Whether you're getting a file from a social network, an e-mail, or a torrent, its safety is always a factor worth considering.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.