FireEye researchers identified a phishing campaign conducted by the cyberespionage group APT34 masquerading as a member of Cambridge University to gain their victim's trust to open malicious documents.
Researchers noticed the campaign in late June 2019 using LinkedIn professional network invitations to deliver the malicious documents that included the use of three new malware families according to a July 18 blog post.
The campaign utilized malware including a backdoor dubbed “TONEDEAF”, a browser credential theft tool dubbed “VALUEVAULT”, and a keylogger dubbed “LONGWATCH.”
So far the campaign has targeted the energy, utilities, government, oil and gas industries with the threat actor utilizing their tried-and-true techniques to breach targeted organizations.
APT34, believed to be an Iranian-based group, has been active since 2014 and has previously used academia and job offer conversations in other campaigns to lure victims into downloading malware.
“The latest research from FireEye clearly shows that no matter how malicious documents are distributed, macros in Microsoft Office documents represent a serious threat to organizations,” Digital Shadows Head of Security Engineering Dr. Richard Gold told SC Media.
“Given their ubiquity and their ease of exploitation by an attacker, we strongly recommend that organizations look into disabling or at least severely limiting the ability of macros to execute in their environment.”
In addition, Gold recommended organizations test their own defenses periodically in “Purple Team exercises” with public and or open-source tools to ensure that they are able to detect and respond to commodity threats.
Chris Morales, head of security analytics at Vectra, said attackers are using the same techniques they have always used to conduct phishing campaigns and adapting those campaigns to particular platforms where the users they want to target exist.
“One of the most important benefits of LinkedIn is the ability it gives you to find people outside your existing professional network,” Morales said. “There is a certain level of acceptance of outsiders on social media that doesn’t exist as much in email, especially as enterprises strengthen their email posture.”
