Net dropper malware called MrPerfectInstaller is responsible for dropping four different files, with each component stored in a Base64 buffer inside the main dropper. Microsoft introduced Password Filters for system administrators to enforce password policies and change notifications. These filters can be abused by a threat actor as a method to intercept or retrieve credentials from domain users or local accounts. The malicious actor can capture and harvest every password from the compromised machines even after the modification. The malware also supports for the modification of old passwords to new ones, which are sent through the registered DLL password filter. The malware proceeds to initialize an ExchangeService object in the first step and supplies the stolen credentials as WebCredentials to interface with the victim mail server in the second step. APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection of their arsenal. From three previously documented attacks, we observed that while the group uses simple malware families, these deployments show the groups flexibility to write new malware based on researched customer environments and levels of access. The newer backdoor includes support for stealing the new passwords of previously compromised users who changed their passwords, ensuring their legitimate accounts stay compromised. Considering we found a compromised account from one entity inside a sample sourced from a different agency indicates APT34 now has a deep foothold in the government domain forest. Following the stages executed, APT34s repeated use of the Saitama backdoor technique in the first stage indicates a confidence that even the dated malwares technique will continue to work and initiate compromise.
This Cyber News was published on www.trendmicro.com. Publication date: Thu, 02 Feb 2023 05:20:03 +0000