Researchers have identified a suspicious email targeting a government official from the Foreign Ministry of Jordan. The suspicious email laced with a malicious Excel document dropped a new backdoor named Saitama. Based on analysis by researchers the activity was attributed to the known Iranian threat actor group APT34.
Pretending to be from the Government of Jordan, the malicious email sent to the victim had the subject line “Confirmation Receive Document” and an attached Excel file “Confirmation Receive Document.xls” from a Microsoft Outlook account. The Excel attachment contained a malicious macro and lured the victim to enable macros by displaying an image within the file. The dropped payload dubbed Saitama written in .NET and has an interesting PDB path: “E:\Saitama\Saitama.Agent\obj\Release\Saitama.Agent.pdb”. For command & control communication the backdoor leverages DNS protocol and is capable of executing remote pre-established commands, custom commands, or dropping files.
Insights:
The use of DNS protocol for command-&-control communications is stealthier than other communication methods, such as HTTP. In addition, the threat actors have cleverly implemented techniques such as compression and long random sleep times. This allows the threat actor to disguise the malicious traffic within the legitimate traffic.
According to the researcher, another interesting element of this backdoor is its implementation. The entire workflow of the backdoor is defined as a “finite-state machine (FSM)”. The FSM – a mathematical model in computing – can change from one state to another in response to some inputs meaning the malware will be able to change its state depending on the command sent to every state.
The Iranian advanced persistent threat actor group APT34 has been known to target Middle Eastern countries and victims worldwide since at least 2014. The group’s known target industries include financials, governmental, energy, chemical, and telecommunication. Based on the below factor the activity was attributed to APT34:
The US Secretary of State has acknowledged a U.S. Intelligence assessment that the attacks on U.S. satellite company – Viasat which damaged infrastructure in the allied territory – were carried out by Russia.
The UK has said that it was “almost certain” about the Viasat outage in February that took place an hour before the invasion of Ukraine and blamed it on Russia. The UK added that the primary target believed to be to have been the Ukrainian military, other customers including personal/ commercial internet consumers, and Wind Farms were also affected by the attack.
Further similar to the US, the Canadians in a statement, have also pinned Russia for its malicious activities affecting Europe and Ukraine highlighting targeted attacks on the Ukrainian banking sector in February 2022, exploitation of the SolarWinds platform by Russia’s Foreign Intelligence Service (SVR) in 2021 among other malicious activities attributed to Russia.
Joining the US and the UK, the attribution of malicious activity to Russia was also followed by the Australian Government. It highlighted the multiple families of destructive wiper malware, attacks on Ukrainian civilian entities since October 2021involved in crisis response activities including emergency services, energy, transport, and communications-related networks in addition to the attacks on Viasat.
A large distribution campaign involving Jester Stealer malware capable of large amounts of data theft was observed by the Ukrainian Computer Emergency Response Team (CERT-UA). In an advisory, CERT-UA warned the distribution campaign is leveraging a “chemical attack” theme and contains a link to macro laced Excel documents. Once the document is open and macros are activated, malicious executables are downloaded from compromised web resources leading to infection of the targeted system with Jester Stealer malware. The malware is designed to steal authentication and other data from Internet browsers, MAIL / FTP / VPN clients, cryptocurrency wallets, password managers, messengers, game programs, and other applications. The stolen data is transmitted to attackers’ Telegrams via statically defined proxy addresses including in the TOR network. The malware has anti-analysis functionality such as anti-VM / debug / sandbox that hamper researchers from analyzing the file.
Insights:
The military conflict between Russia and Ukraine is underway and a settlement may not be seen soon. Therefore, the threat of more lethal weapons being used remains a concern. In particular, Ukrainians are living under constant fear and are subject to more escalated attacks with each passing day. Given their frame of mind, these malicious emails pretending to be a warning of impending chemical attacks are unlikely to go unnoticed and could be actioned upon by recipients.
The critical vulnerability tracked as CVE-2022-1388 allows an attacker to bypass the REST authentication on internet-exposed iControl interfaces. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. On May 4 F5 notified users about the existence of the vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication.
Soon after the patch was made available, two separate groups of researchers on Twitter said that they had developed exploits and would be published soon. Online scanning for vulnerable BIG IP systems was noticed by other researchers as well.
Insights:
As per F5, the vulnerability does not expose any data plane instead it is a control plane issue only. This means the vulnerability is not as concerning if the management plane is not exposed to the Internet. However, since F5 BIG-IP devices are widely used by enterprises and pose a significant risk since successful exploitation of this vulnerability may allow threat actors to gain initial access to corporate networks and move laterally to other systems or devices.
On May 10, CVE-2022-1388 was listed in CISA KEV (Known Exploited Vulnerabilities) catalog. It should be noted that CISA’s KEV Catalog is an excellent resource for organizations to keep up with trending vulnerabilities among attackers. The initiative aims to catalog the most important vulnerabilities that have been previously exploited by attackers and pose a serious risk. Organizations must monitor and prioritize vulnerabilities listed in this catalog.