In a recent report by Trend Micro, it has been revealed that the Advanced Persistent Threat group, APT34, has once again made headlines in the cybersecurity landscape. This time, the group has deployed a new malware variant, named "Menorah," in a sophisticated phishing attack. This article aims to provide an in-depth analysis of this new development, its implications, and the broader context within which APT34 operates. For a more detailed technical breakdown, we highly recommend heading over to Trend Micro's full report.
The Malware: An Introduction to Menorah
The latest malware variant from APT34, Menorah, is a multi-faceted tool designed for cyber espionage. Unlike its predecessors, Menorah has been engineered to perform a variety of functions, including machine identification, file reading and uploading, as well as the downloading of additional malware or files. Written primarily in .NET, Menorah also includes a scheduled task feature to ensure its persistence on targeted systems.
Operational Mechanism of Menorah
The operational intricacies of Menorah are worth noting for their sophistication and effectiveness. When a user opens the malicious document, usually delivered via a phishing email, Menorah initiates its first phase of attack by dropping a hardcoded malware file into a specific directory on the target machine. This directory is
%ALLUSERSPROFILE%\Office356, a location that may appear innocuous to most users and system administrators, thereby reducing the likelihood of immediate detection.
Once the malware is securely placed in this directory, Menorah takes an additional step to ensure its long-term presence on the infected system. It creates a scheduled task named "OneDriveStandaloneUpdater," which is programmed to execute the malware at regular intervals. This scheduled task is a clever disguise, as it mimics the naming conventions of legitimate software updates, further reducing the chances of detection.
The combination of these two steps—strategic placement in a seemingly benign directory and the creation of a scheduled task—ensures that Menorah maintains a persistent presence on the targeted machine. This persistence allows it to carry out its intended functions over an extended period, thereby increasing the potential impact and effectiveness of its cyber espionage activities.
The phishing document employed in this attack, titled "MyCv.doc," initially appears to be associated with the Seychelles Licensing Authority. This could potentially mislead cybersecurity analysts into believing that the target is related to Seychelles or entities doing business with the island nation. However, a closer examination reveals a more complex picture.
The document contains pricing information denominated in Saudi Riyal, which diverges from what one would expect if the target were indeed in Seychelles. This discrepancy strongly suggests that the actual target of the attack may be an organization or individual located within the Kingdom of Saudi Arabia.
Given APT34's history of focusing on the Middle East, this targeting strategy aligns with their known modus operandi. It raises the possibility that the attackers are using the Seychelles Licensing Authority as a decoy or cover to obfuscate their true intentions and to lower the guard of their intended victims in Saudi Arabia.
APT34: The Organization Behind the Attack
APT34 is a covert cyber-espionage group with a focus on organizations and activities within the Middle East. Known for their high-profile cyber attacks against a diverse range of targets, including government agencies and critical infrastructure, APT34 employs spear-phishing campaigns and advanced techniques to infiltrate and maintain access within targeted networks.
Command and Control Infrastructure
Menorah is designed to communicate with a specific Command and Control (C&C) server, identified by the URL
http://tecforsc-001-site1.gtempurl.com/ads.asp. This server acts as the central hub for the malware's activities, receiving data from infected machines and potentially sending back further instructions or updates to the malware.
While the server was found to be inactive at the time of the analysis, its role should not be underestimated. C&C servers are pivotal in advanced malware operations, serving as the nerve center that orchestrates the malware's activities on infected machines. The server's inactivity could be a strategic move to evade detection or could indicate that it is only activated during specific operational phases.
The URL structure itself, designed to resemble a generic advertisement page, may serve as a deceptive tactic to avoid raising suspicions if encountered during network monitoring. This level of obfuscation adds an additional layer of complexity to Menorah's operation, making it more challenging for cybersecurity professionals to detect and neutralize the threat.
Conclusion and Implications
APT34 continues to evolve its tactics and tools, demonstrating a high level of sophistication and resourcefulness. The introduction of Menorah serves as a testament to the group's ongoing efforts to adapt and innovate. Organizations are advised to remain vigilant and to continually update their cybersecurity measures to mitigate the risks posed by such advanced threats. For a more detailed technical breakdown, head over and see Trend Micro's full report.
Indicators of Compromise (IOCs)