| Names | APT34 (Mandiant, FireEye), OilRig (Palo Alto), Helix Kitten (CrowdStrike), Twisted Kitten (CrowdStrike), Cobalt Gypsy (SecureWorks) |
| Additional Names | Crambus (Symantec), Chrysene (Dragos), TA452 (Proofpoint), IRN2 (Area 1), ATK 40 (Thales), ITG13 (IBM), Hazel Sandstorm (Microsoft) |
| Location | Iran |
| Date of initial activity | 2014 |
| Suspected attribution | State-sponsored |
| Motivation | Espionage |
| Associated tools | Glimpse, Helminth, Jason, MacDownloader, PoisonFrog, PupyRAT, RGDoor, ThreeDollars, TinyZbot, Toxocara, Trichuris, TwoFace, Webmask, ZeroCleare, Living off the Land |
Overview
Fireeye believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
Targets
Private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Attack vectors
Shamoon Attacks: W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable. Target: Saudi Aramco and Rasgas.
How they work
In a 2017 campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.
COBALT GYPSY has been active since at least 2015, targeting MENA-based or affiliated organizations in the telecommunications, government, defense, oil and financial services verticals. CTU researchers assess with moderate confidence that COBALT GYPSY operates on behalf of Iran.
The group often uses spear phishing, with academic or employment related themes, to infect targets, many of whom are identified and approached via social media sites. COBALT GYPSY also performs broad phishing operations against global government, energy, oil/gas, aviation, and nuclear organizations, as well as against defense contractors.
The group has deployed a range of custom remote access trojans (Helminth, Toxocara, Trichuris) and webshells (TwoFace, ThreeDollars). CTU researchers track a number of related but distinct groups with tradecraft or infrastructure similarities to COBALT GYPSY. These groups include COBALT EDGEWATER, COBALT KATANA and COBALT LYCEUM.
Indicators of Compromise (IOCs)
|
Filename / Domain / IP Address |
MD5 Hash or Description |
|
CVE-2017-11882 exploit document |
A0E6933F4E0497269620F44A083B2ED4 |
|
b.txt |
9267D057C065EA7448ACA1511C6F29C7 |
|
v.txt/v.vbs |
B2D13A336A3EB7BD27612BE7D4E334DF |
|
dUpdateCheckers.base |
4A7290A279E6F2329EDD0615178A11FF |
|
hUpdateCheckers.base |
841CE6475F271F86D0B5188E4F8BC6DB |
|
cUpdateCheckers.bat |
52CA9A7424B3CC34099AD218623A0979 |
|
dUpdateCheckers.ps1 |
BBDE33F5709CB1452AB941C08ACC775E |
|
hUpdateCheckers.ps1 |
247B2A9FCBA6E9EC29ED818948939702 |
|
GoogleUpdateschecker.vbs |
C87B0B711F60132235D7440ADD0360B0 |
|
hxxp://mumbai-m[.]site |
POWRUNER C2 |
|
hxxp://dns-update[.]club |
Malware Staging Server |
|
CVE-2017-0199 exploit document |
63D66D99E46FB93676A4F475A65566D8 |
|
94.23.172.164:80 |
Malware Staging Server |
|
dupdatechecker.doc |
D85818E82A6E64CA185EDFDDBA2D1B76 |
|
dupdatechecker.exe |
C9F16F0BE8C77F0170B9B6CE876ED7FB |
|
proxycheker[.]pro |
C2 |
|
46.105.221.247 |
Has resolved mumbai-m[.]site & hpserver[.]online |
|
148.251.55.110 |
Has resolved mumbai-m[.]site and dns-update[.]club |
|
185.15.247.147 |
Has resolved dns-update[.]club |
|
145.239.33.100 |
Has resolved dns-update[.]club |
|
82.102.14.219 |
Has resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com |
|
v7-hpserver.online.hta |
E6AC6F18256C4DDE5BF06A9191562F82 |
|
dUpdateCheckers.base |
3C63BFF9EC0A340E0727E5683466F435 |
|
hUpdateCheckers.base |
EEB0FF0D8841C2EBE643FE328B6D9EF5 |
|
cUpdateCheckers.bat |
FB464C365B94B03826E67EABE4BF9165 |
|
dUpdateCheckers.ps1 |
635ED85BFCAAB7208A8B5C730D3D0A8C |
|
hUpdateCheckers.ps1 |
13B338C47C52DE3ED0B68E1CB7876AD2 |
|
googleupdateschecker.vbs |
DBFEA6154D4F9D7209C1875B2D5D70D5 |
|
hpserver[.]online |
C2 |
|
v7-anyportals.hta |
EAF3448808481FB1FDBB675BC5EA24DE |
|
dUpdateCheckers.base |
42449DD79EA7D2B5B6482B6F0D493498 |
|
hUpdateCheckers.base |
A3FCB4D23C3153DD42AC124B112F1BAE |
|
dUpdateCheckers.ps1 |
EE1C482C41738AAA5964730DCBAB5DFF |
|
hUpdateCheckers.ps1 |
E516C3A3247AF2F2323291A670086A8F |
|
anyportals[.]com |
C2 |
