APT 034

Suspected attribution: Iran

Target sectors: This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East

Overview: We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.

This malware is a malicious 32-bit Windows executable. Analysis indicates the primary purpose of this application is to destroy a compromised Windows system by overwriting and deleting the Master Boot Record (MBR) on the victim's system and deleting files on network mapped shares as well as physically attached storage devices. The malware must be executed from a command line using any alphanumeric character or string as an argument. Once executed, the malware first attempts to disable the "System Event Notification" and "Alerter" services (Figure 1). Note: The Alerter service is present in Windows XP and Windows 2003, which are no longer supported by Microsoft. Current operating systems supported by Microsoft do not run the Alerter service. Next, the malware overwrites the MBR, displaying a status in the command (CMD) window. If the malware is able to overwrite the MBR, an "OK" status is displayed in the CMD window. If the malware is unable to overwrite the MBR, a "Fail" status is displayed. After the MBR is overwritten, the malware attempts to gain access to physical and network drives attached to the victim's system and recursively enumerate through the drive’s contents. When the malware identifies a file, it overwrites the file's contents with NULL bytes, renames the file with a randomly generated file name (Figure 2), then deletes the file, making forensic recovery impossible. If the malware is able to overwrite, rename and delete the file, the CMD window will display a “Break>" status. If the malware is only able to delete the file, the CMD window will display a “Del>" status (Figure 3). Once the malware has completed deleting files, the system is rebooted. If the malware has executed successfully, the system is rendered inoperative.

February 2018 brought the disclosure of several new vulnerabilities, including an Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft office vulnerabilities. A new forum post in February 2018 announced that exploits for the recently disclosed CVE-2018-0802 as well as a July 2017 Office vulnerability (CVE-2017-8570) had been added to ThreadKit.

On the heels of this update, we started observing a large spike of email campaigns with ThreadKit generated MS Office attachments that included these exploits. The documents included exploits for CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802 which appear to be copied from proofs of concept available on a researcher’s git repository.

This version of ThreadKit also contained yet another major rework of how the embedded decoy and malware are extracted and executed. The attachments drop the contained packager objects into computer’s temporary folder using the trick described here. The exploits then execute the dropped scriptlet file, which leads to the execution of dropped batch files that then run the executable.

Associated malware: POWBAT, BONDUPDATER, POWRUNER, SEASHARPEE, Helminth

Attack vectors: In its latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.