www.cybersechub.hk Open in urlscan Pro
2606:4700:10::6816:9e2  Public Scan

Submitted URL: https://url412.cybersechub.hk/ls/click?upn=uO9dJb4vijkVKnS9ALdMqdvrSryzx9p2kggkUN8foxm7FIuB7GcoQlhAF2Lpirbru1Gv70pXgD-2FpYIvJM...
Effective URL: https://www.cybersechub.hk/en/post/2595
Submission: On August 31 via manual from HK — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content


 * 繁
 * 简
 * Text Size
 * print
 * Facebook
 * Twitter
 * Email
 * RSS

 * Home
 * Alerts
 * Advisories
 * CERT Publications
 * Insights
 * Daily News
 * About Us
 * Events / Publications
 * Members Zone

Home Advisories APT34 Unleashes New Wave of Phishing Attack with Variant of
SideTwist Trojan

Disclaimer: All materials and information on the Website are for general
information only and shall not be treated as a substitute for legal or other
professional advice and shall not be relied on as such. Such materials and
information are provided on an “as is” basis without any express or implied
warranty or guarantee of any kind. For details, please refer to

APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
Post on: 31 Aug 2023, 10:02 (HKT)
Last modified: 31 Aug 2023, 10:02 (HKT)

Recently, NSFOCUS Security Labs captured a new APT34 phishing attack. During the
campaign, APT34 attackers disguised as a marketing services company called GGMS
launched attacks against enterprise targets and released a SideTwist variant
Trojan to achieve long-term control of the victim host.


APT34, also known as OilRig or Helix Kitten, is an APT group suspected of coming
from Iran. The group has been active since 2014, conducting cyber espionage and
cyber sabotage operations against countries in the Middle East. Its main targets
include multiple industries such as finance, government, energy, chemical
industry and telecommunications.

APT34 has a high level of attack technology, can design different intrusion
methods for different types of targets, and has supply chain attack capability.
After this group's main attack tools were disclosed in a leak in 2019, it began
to develop new attack tools, including RDAT, SideTwist and Saitama.

Related links:

 * Analysis of File Disclosure by APT34
 * APT34 Event Analysis Report


The decoy file used by APT34 this time is called "GGMS Overview.doc", and the
document's body shows an introduction to a so-called "Ganjavi Global Marketing
Services" company, as shown in the figure below.

Figure 1 Decoy document used by APT34 in this attack

The introduction claimed that the company was able to provide worldwide
marketing services. Apparently, it targets enterprises.

There are twice upload records, located in the United States, demonstrating that
APT34 was actually targeted at United States businesses.


In this event, APT34 followed an attack process that has been in use since 2021,
but with some variations in details. The key steps of this attack process are
illustrated in the following figure.

Figure 2 Attack process used by APT34 in this attack

During this attack, malicious macrocode hidden in the decoy file undertakes the
work of deployment environment. The macrocode will extract the Trojan
SystemFailureReporter.exe stored in base64 format in the document, release it to
%LOCALAPPDATA%\SystemFailureReporter\ directory, and create a text file named
update.xml under the same directory, acting as the start switch of the Trojan
program, as shown in the figure below.

Figure 3 Malicious files released from decoy document

The malicious macro then creates a scheduled task called SystemFailureReporter
that calls up the Trojan every 5 minutes, through which it runs repeatedly.

Figure 4 Trigger information of scheduled task set by decoy document

Figure 5 Action information of scheduled tasks set by decoy document

The called Trojan program SystemFailureReporter.exe is a variant of SideTwist,
the main Trojan tool used by APT34 in recent operations. Its CnC address is, but it uses HTTP for communication.


The variant Trojan presented in this campaign is similar to the SideTwist Trojan
used by APT34 in previous campaigns, with the main difference that it is
compiled using GCC.

The main function of the SideTwist Trojan is to communicate with the CnC,
execute commands or program files issued by the CnC terminal, and upload local
files to the CnC.

After the Trojan runs, it will first check whether there is a file named
update.xml in the same directory. If not, output a line of prompt text through
the debugging port and exit. This is a typical anti-sandbox operation.

Figure 6 Environment detection operation of SideTwist Trojan

The Trojan will then collect the user name, computer name and local domain name
of the victim's host, assemble and calculate a 4-byte hash as the unique ID of
the victim.

Figure 7 Host information collection of SideTwist Trojan

The Trojan then attempts to establish communication with the CnC and obtain
return information using the generated victim ID.

The following figure shows the sample HTTP communication content of this Trojan,
and suWW in the URI path is the victim ID:

Figure 8 First communication content of SideTwist Trojan

If the CnC path is online, the Trojan will extract and parse specific contents
in the HTML code returned by CnC into CnC instructions. These specific contents
are hidden between <script>/* and */<script> tags of the HTML code.

In this variant Trojan, the CnC instruction is stored in base64 encoding and
decrypted as a multi-byte XOR key with the string "notmersenne".

The decrypted CnC instruction is divided into three segments, namely CnC number,
CnC instruction code and operating parameters, which are separated by the symbol
"|", as shown below.

[CnC number] | [CnC instruction code] | [operation parameter 1] | [operation
parameter 2]

The CnC number is only used as an index during CnC communication, and the Trojan
can be controlled to terminate subsequent CnC communication behaviors only when
this value is "-1";

The CnC instruction code is used to control the Trojan to perform several
corresponding behaviors, and its instruction code number and function
correspondence are shown in the following table.

Table 1 CnC Instruction Code

It should be noted that the 102 instruction code of this Trojan will trigger a
subsequent CnC communication behavior. The Trojan program will initiate an HTTP
GET request according to the remote file name in the CnC instruction parameters,
obtain and decrypt the files in the remote location "/getFile/[file name]". The
decryption method is also base64 transcoding and multi-byte XOR, as shown below.

Figure 9 Communication logic in SideTwist Trojan 102 instruction code

After all the above CnC instructions are completed, the Trojan will reply to an
HTTP POST request to the CnC to report the instruction execution result. The
POST request body contains information in the following format:

{"[CnC number]"}:{"[CnC instruction execution result]"}

Unlike common Trojan programs, this Trojan does not have a cyclic or sleep
mechanism and will automatically exit after a CnC communication, waiting for the
scheduled task to invoke the Trojan again 5 minutes later.


What is special about this APT34 attack event is that the SideTwist Trojan used
IP address as the CnC.

It is found that port 443 of the IP address does not provide service at present,
and the nature of its CnC server cannot be confirmed through the content
returned by the IP address;

Querying the IP address assignment revealed that was assigned to
segment, owned by the United States Department of Defense Network
Information Center and located in Columbus, Ohio, United States, matching the
agency's geographic location.


The APT34 attack discovered this time not only shows its commonly-used attack
method, but also introduced a GCC-based variant of the SideTwist Trojan and a
sensitive IP address as the CnC address of the Trojan.

We believe that the specificity of this CnC IP suggests that the APT34 attacker
probably used this activity as a test and did not enable the real CnC address.
This is an operation to protect attack resources and a tactic that may be used
by APT groups, which means that APT groups will enable the real CnC address to
launch attacks only after completing debugging and ensuring the concealment of
the attack process.





Tags: #APT #Phishing #Trojan


Hot Topics

NFT, Patching, Pandemic, Exploit


Threat Intel, Vulnerability, Trends, Ransomware, Malware, Phishing, Analysis,
Research, Information Leakage, Web Security, IoT Security, Security Culture,
Exploit, Patching, Zero-day

What’s New


Previous Next

 * print

 * Site Map
 * Important Notices
 * Privacy Policy
 * Contact Us

 * © 2019 Office of the Government Chief Information Officer. All rights
 * Last update / review: Nov 2019