An advanced persistent threat (APT) group with ties to Iran has refreshed its malware toolset to include a new backdoor dubbed Marlin as part of a long-running espionage campaign that started in April 2018.
Slovak cybersecurity company ESET attributed the attacks — code named Out to Sea — to a threat actor called OilRig (aka APT34), while also conclusively connecting its activities to a second Iranian group tracked under the name Lyceum (Hexane aka SiameseKitten).
“Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates,” ESET noted in its T3 2021 Threat Report shared with The Hacker News.
Active since at least 2014, the hacking group is known to strike Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications. In April 2021, the actor targeted a Lebanese entity with an implant called SideTwist, while campaigns previously attributed to Lyceum have singled out IT companies in Israel, Morocco, Tunisia, and Saudi Arabia.
The Lyceum infection chains are also notable for the fact that they have evolved to drop multiple backdoors since the campaign came to light in 2018 — beginning with DanBot and transitioning to Shark and Milan in 2021 — with attacks detected in August 2021 leveraging a new data collection malware called Marlin.
The changes do not stop there. In what’s a significant departure from traditional OilRig TTPs, which have involved the use of DNS and HTTPS for command-and-control (C&C) communications, Marlin makes use of Microsoft’s OneDrive API for its C2 operations.
ESET noted that the initial access was made via spear-phishing and remote access software such as ITbrain, TeamViewer and ITbrain. They also cited similar tools and techniques between OilRig and Lyceum’s backdoors as being “too many and too specific.” “
“The ToneDeaf Backdoor communicated primarily with its C&C via HTTP/S, but also included a secondary communication method called DNS tunneling which doesn’t work properly,” researchers stated. “Shark has similar symptoms, where its primary communication method uses DNS but has a non-functional HTTP/S secondary option. “
ToneDeaf, which supports collecting system information, uploading and downloading of files, and arbitrary shell command execution, is a malware family that was deployed by the APT34 actor targeting a broad range of industries operating in the Middle East in July 2019.
Additionally the results pointed out that DNS was used as both a C&C communication channel and HTTP/S as secondary communication. They also indicated the overlap in the usage of HTTP/S and HTTP/S.