Iranian government-backed hackers are back at it, targeting US federal workers in the hopes of compromising government systems with malware.
The hacking attempts have been linked to a cyber-espionage group codenamed APT34, or OilRig, a six-year-old hacker group acting in the interests of the Iranian government.
The hacking attempts consist of a cleverly orchestrated spear-phishing campaign, according to a report published today by cyber-security firm Intezer Labs, and shared with ZDNet.
The spear-phishing emails mimick Westat surveys. Westat is a well-known US government contractor that has managed and administered surveys to more than 80 federal agencies, for at least 16 years, querying federal workers on working conditions, management, and job satisfaction.
Intezer says that APT34 has been sending out fake Westat-looking emails that distribute boobytrapped surveys as Excel spreadsheets.
New and improved malware
These documents contain malicious code that executes if the victim enables macros inside Excel. The malicious code downloads and installs two strains of malware known as TONEDEAF and VALUEVAULT.
One is a backdoor, while the other is a password stealer.
Both have been spotted before, namely used with another APT34 spear-phishing campaign detected by FireEye in July last year.
However, Intezer says these two versions contain serious upgrades from the previous ones used last July, both appearing to have been modified for this specific campaign.
For example, VALUEVAULT contains a Chrome password dumping feature instead of its past Windows Vault password dumping function, most likely because of the US government’s known use of Chrome as a default browser.
Intezer tracks these new variations as TONEDEAF 2.0 and VALUEVAULT 2.0. APT34 appears to have modified both malware strains after having its activities exposed by FireEye.
“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally paying off,” the Intezer team said.
It is unclear for how long this recent APT34 spear-phishing campaign posing as Westat has been going on.
Campaign still going
“What we do know is that the [malware’s comand and control] domain was created 4 months ago, and a certificate was issued for the website a month ago,” Paul Litvak, malware analyst at Intezer Labs, told ZDNet today.
Litvak believes the campaign is still ongoing. He also warns that other targets might be targeted beyond US government organizations, such as commercial entities known to rely on Westat’s surveying services.
Intezer said it notified Westat about the ongoing spear-phishing campaign earlier today.
ZDNet also reached out to Westat and inquired if the company plans to warn its customerbase about the ongoing Iranian hacking campaign that’s abusing its brand. Westat has yet to answer both Intezer and ZDNet inquires.