A spear-phishing operation targeting Jordan’s foreign minister has been seen dropping a stealthy backdoor called Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.
“Like many of these attacks, the email contained a malicious attachment,” Fortinet researcher Fred Gutierrez said. “However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs). “
APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is known to be active since at least 2014 and has a track record of striking telecom, government, defense, oil, and financial sectors in the Middle East and North Africa (MENA) via targeted phishing attacks.
ESET linked the group earlier this February to an ongoing intelligence gathering operation that aimed at technology companies and diplomatic organisations in Israel, Tunisia and the United Arab Emirates.
The newly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic Application (VBA) macro that drops the malware payload (“update.exe”).
An additional task is added by the macro to establish persistence of the implant. It repeats every four hours.
A .NET-based binary, Saitama leverages the DNS protocol for its command-and-control (C2) communications as part of an effort to disguise its traffic, while employing a “finite-state machine” approach to executing commands received from a C2 server.
“In the end, this basically means that this malware is receiving tasks inside a DNS response,” Gutierrez explained. DNS tunneling, as it’s called, makes it possible to encode the data of other programs or protocols in DNS queries and responses.
In the final stage, the results of the command execution are subsequently sent back to the C2 server, with the exfiltrated data built into a DNS request.
“With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers,” Gutierrez said.
“Perhaps this is to prevent behavioral detections from being triggered, the malware does not provide any persistence options. Instead, it relies on the Excel macro to create persistence by way of a scheduled task. “