As part of a long-running espionage campaign that began in April 2018, an APT group with ties to Iran has updated its malware toolset to include a new backdoor dubbed Marlin. The attacks, codenamed “Out to Sea,” have been attributed to a threat actor known as OilRig (aka APT34), while also conclusively linking its activities to a second Iranian group known as Lyceum (Hexane aka SiameseKitten).
According to ESET’s T3 2021 Threat Report, “Victims of the campaign include diplomatic organisations, technology companies, and medical organisations in Israel, Tunisia, and the United Arab Emirates.”
The hacking group, which has been active since at least 2014, is known to target Middle Eastern governments as well as a wide range of business sectors, including chemical, energy, financial and telecommunications. In April 2021, the actor used an implant called SideTwist to target a Lebanese entity, while previous campaigns attributed to Lyceum targeted IT companies in Israel, Morocco, Tunisia, and Saudi Arabia.
The Lyceum infection chains are also notable for having evolved to drop multiple backdoors since the campaign’s discovery in 2018 — beginning with DanBot and progressing to Shark.
Marlin uses Microsoft’s OneDrive API for command-and-control (C&C) communications, which is a significant departure from traditional OilRig TTPs, which have involved the use of DNS and HTTPS for C&C communications.
ESET cited similarities in tools and tactics between OilRig’s backdoors and those of Lyceum as “too numerous and specific,” noting that initial network access was obtained through spear-phishing as well as remote access and administration software such as ITbrain and TeamViewer.
ToneDeaf is a malware family that was deployed in July 2019 by the APT34 actor targeting a wide range of industries operating in the Middle East. It supports collecting system information, uploading and downloading files, and arbitrary shell command execution.
Furthermore, the findings revealed the overlapping use of DNS as a C&C communication channel while also using HTTP/S as a secondary communication method, as well as the use of multiple folders in a backdoor’s working directory for uploading and downloading files from the C&C server.