Iranian advanced persistent threat group OilRig, also known as Cobalt Gypsy, Helix Kitten, and APT34, has attacked a Jordanian diplomat with a malicious Excel document deploying the new Saitama backdoor, reports SecurityWeek.
Fortinet researchers revealed that Windows Management Instrumentation is being used by the Excel document's macro to communicate with its command and control server and eventually prompt the creation of a configuration file, legitimate DLL file, and a malicious PE file.
Meanwhile, the DNS protocol is being leveraged by the .NET-based Saitama backdoor to facilitate C2 communications and data exfiltration.
Another report from Malwarebytes described the backdoor as a finite-state machine, which includes the acceptance of a start command as an initial state, the retrieval of a C2 server as an alive state, a sleep mode, a C2 server command acceptance state, a command execution state, and a send state.
Attackers have also developed Saitama as a highly-targeted backdoor, Malwarebytes researchers added.