www.trendmicro.com Open in urlscan Pro
23.206.209.41  Public Scan

Submitted URL: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html
Effective URL: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html
Submission Tags: falconsandbox
Submission: On December 09 via api from US — Scanned from DK

Form analysis 1 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table class="gsc-search-box">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

Text Content

Business

search close

 * Solutions
   * By Challenge
       
     * By Challenge
         
       * By Challenge
         Learn more
         
     * Understand, Prioritize & Mitigate Risks
         
       * Understand, Prioritize & Mitigate Risks
         
         Improve your risk posture with attack surface management
         
         Learn more
         
     * Protect Cloud-Native Apps
         
       * Protect Cloud-Native Apps
         
         Security that enables business outcomes
         
         Learn more
         
     * Protect Your Hybrid World
         
       * Protect Your Hybrid, Multi-Cloud World
         
         Gain visibility and meet business needs with security
         
         Learn more
         
     * Securing Your Borderless Workforce
         
       * Securing Your Borderless Workforce
         
         Connect with confidence from anywhere, on any device
         
         Learn more
         
     * Eliminate Network Blind Spots
         
       * Eliminate Network Blind Spots
         
         Secure users and key operations throughout your environment
         
         Learn more
         
     * See More. Respond Faster.
         
       * See More. Respond Faster.
         
         Move faster than your adversaries with powerful purpose-built XDR,
         attack surface risk management, and zero trust capabilities
         
         Learn more
         
     * Extend Your Team
         
       * Extend Your Team. Respond to Threats Agilely
         
         Maximize effectiveness with proactive risk reduction and managed
         services
         
         Learn more
         
     * Operationalizing Zero Trust
         
       * Operationalizing Zero Trust
         
         Understand your attack surface, assess your risk in real time, and
         adjust policies across network, workloads, and devices from a single
         console
         
         Learn more
         
   * By Role
       
     * By Role
         
       * By Role
         Learn more
         
     * CISO
         
       * CISO
         
         Drive business value with measurable cybersecurity outcomes
         
         Learn more
         
     * SOC Manager
         
       * SOC Manager
         
         See more, act faster
         
         Learn more
         
     * Infrastructure Manager
         
       * Infrastructure Manager
         
         Evolve your security to mitigate threats quickly and effectively
         
         Learn more
         
     * Cloud Builder and Developer
         
       * Cloud Builder and Developer
         
         Ensure code runs only as intended
         
         Learn more
         
     * Cloud Security Ops
         
       * Cloud Security Ops
         
         Gain visibility and control with security designed for cloud
         environments
         
         Learn more
         
   * By Industry
       
     * By Industry
         
       * By Industry
         Learn more
         
     * Healthcare
         
       * Healthcare
         
         Protect patient data, devices, and networks while meeting regulations
         
         Learn more
         
     * Manufacturing
         
       * Manufacturing
         
         Protecting your factory environments – from traditional devices to
         state-of-the-art infrastructures
         
         Learn more
         
     * Oil & Gas
         
       * Oil & Gas
         
         ICS/OT Security for the oil and gas utility industry
         
         Learn more
         
     * Electric Utility
         
       * Electric Utility
         
         ICS/OT Security for the electric utility
         
         Learn more
         
     * Federal
         
       * Federal
         Learn more
         
     * Automotive
         
       * Automotive
         Learn more
         
     * 5G Networks
         
       * 5G Networks
         Learn more
         
   * Small & Midsized Business Security
       
     * Small & Midsized Business Security
       
       Stop threats with easy-to-use solutions designed for your growing
       business
       
       Learn more
       
 * Platform
   * Vision One Platform
       
     * Vision One Platform
         
       * Trend Vision One
         Our Unified Platform
         
         Bridge threat protection and cyber risk management
         
         Learn more
         
     * AI Companion
         
       * Trend Vision One Companion
         
         Your generative AI cybersecurity assistant
         
         Learn more
         
   * Attack Surface Management
       
     * Attack Surface Management
       
       Stop breaches before they happen
       
       Learn more
       
   * XDR (Extended Detection & Response)
       
     * XDR (Extended Detection & Response)
       
       Stop adversaries faster with a broader perspective and better context to
       hunt, detect, investigate, and respond to threats from a single platform
       
       Learn more
       
   * Cloud Security
       
     * Cloud Security
         
       * Trend Vision One™
         Cloud Security Overview
         
         The most trusted cloud security platform for developers, security
         teams, and businesses
         
         Learn more
         
     * Attack Surface Risk Management for Cloud
         
       * Attack Surface Risk Management for Cloud
         
         Cloud asset discovery, vulnerability prioritization, Cloud Security
         Posture Management, and Attack Surface Management all in one
         
         Learn more
         
     * XDR for Cloud
         
       * XDR for Cloud
         
         Extend visibility to the cloud and streamline SOC investigations
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Secure your data center, cloud, and containers without compromising
         performance by leveraging a cloud security platform with CNAPP
         capabilities
         
         Learn more
         
     * Container Security
         
       * Container Security
         
         Simplify security for your cloud-native applications with advanced
         container image scanning, policy-based admission control, and container
         runtime protection
         
         Learn more
         
     * File Security
         
       * File Security
         
         Protect application workflow and cloud storage against advanced threats
         
         Learn more
         
   * Endpoint Security
       
     * Endpoint Security
         
       * Endpoint Security Overview
         
         Defend the endpoint through every stage of an attack
         
         Learn more
         
     * XDR for Endpoint
         
       * XDR for Endpoint
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Optimized prevention, detection, and response for endpoints, servers,
         and cloud workloads
         
         Learn more
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
     * Mobile Security
         
       * Mobile Security
         
         On-premises and cloud protection against malware, malicious
         applications, and other mobile threats
         
         Learn more
         
   * Network Security
       
     * Network Security
         
       * Network Security Overview
         
         Expand the power of XDR with network detection and response
         
         Learn more
         
     * XDR for Network
         
       * XDR for Network
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Network Intrusion Prevention (IPS)
         
       * Network Intrusion Prevention (IPS)
         
         Protect against known, unknown, and undisclosed vulnerabilities in your
         network
         
         Learn more
         
     * Breach Detection System (BDS)
         
       * Breach Detection System (BDS)
         
         Detect and respond to targeted attacks moving inbound, outbound, and
         laterally
         
         Learn more
         
     * Secure Service Edge (SSE)
         
       * Secure Service Edge (SSE)
         
         Redefine trust and secure digital transformation with continuous risk
         assessments
         
         Learn more
         
     * 5G Network Security
         
       * 5G Network Security
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Learn more
         
   * Email Security
       
     * Email Security
         
       * Email Security
         
         Stop phishing, malware, ransomware, fraud, and targeted attacks from
         infiltrating your enterprise
         
         Learn more
         
     * Email and Collaboration Security
         
       * Trend Vision One™
         Email and Collaboration Security
         
         Stop phishing, ransomware, and targeted attacks on any email service
         including Microsoft 365 and Google Workspace
         
         Learn more
         
   * OT Security
       
     * OT Security
         
       * OT Security
         
         Learn about solutions for ICS / OT security.
         
         Learn more
         
     * XDR for OT
         
       * XDR for OT
         
         Stop adversaries faster with a broader perspective and better context
         to hunt, detect, investigate, and respond to threats from a single
         platform
         
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Industrial Network Security
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
   * Threat Insights
       
     * Threat Insights
       
       See threats coming from miles away
       
       Learn more
       
   * Identity Security
       
     * Identity Security
       
       End-to-end identity security from identity posture management to
       detection and response
       
       Learn more
       
   * On-Premises Data Sovereignty
       
     * On-Premises Data Sovereignty
       
       Prevent, detect, respond and protect without compromising data
       sovereignty
       
       Learn more
       
   * All Products, Services, and Trials
       
     * All Products, Services, and Trials
       Learn more
       
 * Research
   * Research
       
     * Research
         
       * Research
         Learn more
         
     * Research, News, and Perspectives
         
       * Research, News, and Perspectives
         Learn more
         
     * Research and Analysis
         
       * Research and Analysis
         Learn more
         
     * Security News
         
       * Security News
         Learn more
         
     * Zero Day Initiatives (ZDI)
         
       * Zero Day Initiatives (ZDI)
         Learn more
         
 * Services
   * Our Services
       
     * Our Services
         
       * Our Services
         Learn more
         
     * Service Packages
         
       * Service Packages
         
         Augment security teams with 24/7/365 managed detection, response, and
         support
         
         Learn more
         
     * Managed XDR
         
       * Managed XDR
         
         Augment threat detection with expertly managed detection and response
         (MDR) for email, endpoints, servers, cloud workloads, and networks
         
         Learn more
         
     * Incident Response
         
       * Incident Response
           
         * Incident Response
           
           Our trusted experts are on call whether you're experiencing a breach
           or looking to proactively improve your IR plans
           
           Learn more
           
       * Insurance Carriers and Law Firms
           
         * Insurance Carriers and Law Firms
           
           Stop breaches with the best response and detection technology on the
           market and reduce clients’ downtime and claim costs
           
           Learn more
           
     * Support Services
         
       * Support Services
         Learn more
         
 * Partners
   * Partner Program
       
     * Partner Program
         
       * Partner Program Overview
         
         Grow your business and protect your customers with the best-in-class
         complete, multilayered security
         
         Learn more
         
     * Partner Competencies
         
       * Partner Competencies
         
         Stand out to customers with competency endorsements that showcase your
         expertise
         
         Learn more
         
     * Partner Successes
         
       * Partner Successes
         Learn more
         
     * Managed Security Service Provider
         
       * Managed Security Service Provider
         
         Deliver modern security operations services with our industry-leading
         XDR
         
         Learn more
         
     * Managed Service Provider
         
       * Managed Service Provider
         
         Partner with a leading expert in cybersecurity, leverage proven
         solutions designed for MSPs
         
         Learn more
         
   * Alliance Partners
       
     * Alliance Partners
         
       * Alliance Partners
         
         We work with the best to help you optimize performance and value
         
         Learn more
         
     * Technology Alliance Partners
         
       * Technology Alliance Partners
         Learn more
         
     * Find Alliance Partners
         
       * Find Alliance Partners
         Learn more
         
   * Partner Resources
       
     * Partner Resources
         
       * Partner Resources
         
         Discover resources designed to accelerate your business’s growth and
         enhance your capabilities as a Trend Micro partner
         
         Learn more
         
     * Partner Portal Login
         
       * Partner Portal Login
         Login
         
     * Trend Campus
         
       * Trend Campus
         
         Accelerate your learning with Trend Campus, an easy-to-use education
         platform that offers personalized technical guidance
         
         Learn more
         
     * Co-Selling
         
       * Co-Selling
         
         Access collaborative services designed to help you showcase the value
         of Trend Vision One™ and grow your business
         
         Learn more
         
     * Become a Partner
         
       * Become a Partner
         Learn more
         
     * Distributors
         
       * Distributors
         Learn more
         
   * Find Partners
       
     * Find Partners
       
       Locate a partner from whom you can purchase Trend Micro solutions
       
       Learn more
       
 * Company
   * Why Trend Micro
       
     * Why Trend Micro
         
       * Why Trend Micro
         Learn more
         
     * Customer Success Stories
         
       * Customer Success Stories
         Learn more
         
     * The Human Connection
         
       * The Human Connection
         Learn more
         
     * Industry Accolades
         
       * Industry Accolades
         Learn more
         
     * Strategic Alliances
         
       * Strategic Alliances
         Learn more
         
   * Compare Trend Micro
       
     * Compare Trend Micro
         
       * Compare Trend Micro
         
         See how Trend outperforms the competition
         
         Let's go
         
     * vs. Crowdstrike
         
       * Trend Micro vs. Crowdstrike
         
         Crowdstrike provides effective cybersecurity through its cloud-native
         platform, but its pricing may stretch budgets, especially for
         organizations seeking cost-effective scalability through a true single
         platform
         
         Let's go
         
     * vs. Microsoft
         
       * Trend Micro vs. Microsoft
         
         Microsoft offers a foundational layer of protection, yet it often
         requires supplemental solutions to fully address customers' security
         problems
         
         Let's go
         
     * vs. Palo Alto Networks
         
       * Trend Micro vs. Palo Alto Networks
         
         Palo Alto Networks delivers advanced cybersecurity solutions, but
         navigating its comprehensive suite can be complex and unlocking all
         capabilities requires significant investment
         
         Let's go
         
   * About Us
       
     * About Us
         
       * About Us
         Learn more
         
     * Trust Center
         
       * Trust Center
         Learn more
         
     * History
         
       * History
         Learn more
         
     * Diversity, Equity and Inclusion
         
       * Diversity, Equity and Inclusion
         Learn more
         
     * Corporate Social Responsibility
         
       * Corporate Social Responsibility
         Learn more
         
     * Leadership
         
       * Leadership
         Learn more
         
     * Security Experts
         
       * Security Experts
         Learn more
         
     * Internet Safety and Cybersecurity Education
         
       * Internet Safety and Cybersecurity Education
         Learn more
         
     * Legal
         
       * Legal
         Learn more
         
     * Investors
         
       * Investors
         Learn more
         
     * Formula E Racing
         
       * Formula E Racing
         Learn more
         
   * Connect With Us
       
     * Connect With Us
         
       * Connect With Us
         Learn more
         
     * Newsroom
         
       * Newsroom
         Learn more
         
     * Events
         
       * Events
         Learn more
         
     * Careers
         
       * Careers
         Learn more
         
     * Webinars
         
       * Webinars
         Learn more
         

Back

Back

Back

Back

 * Free Trials
 * Contact Us

Looking for home solutions?
Under Attack?
2 Alerts

Back
Unread
All


 * Join us at AWS re:Invent for demos and expert-led sessions on AI-powered
   security.
   
   close
   
   Supercharge your security >

 * Transform your security strategy and proactively reduce risk.
   
   close
   
   Learn how

Folio (0)
Support
 * Business Support Portal
 * Education and Certification
 * Contact Support
 * Find a Support Partner

Resources
 * AI Security
 * Trend Micro vs. Competition
 * Cyber Risk Assessments
 * What Is?
 * Threat Encyclopedia
 * Cyber Insurance
 * Glossary of Terms
 * Webinars

Log In
 * Vision One
 * Support
 * Partner Portal
 * Cloud One
 * Product Activation and Management
 * Referral Affiliate

Back

arrow_back
search



close

Content has been added to your Folio

Go to Folio (0) close

APT & Targeted Attacks


EARTH SIMNAVAZ (AKA APT34) LEVIES ADVANCED CYBERATTACKS AGAINST MIDDLE EAST

Trend Micro's investigation into the recent activity of Earth Simnavaz provides
new insights into the APT group’s evolving tactics and the immediate threat it
poses to sectors in the Middle East.

By: Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, Nick Dai October 11, 2024 Read
time: 9 min (2475 words)

Save to Folio

Subscribe

--------------------------------------------------------------------------------

SUMMARY

 * Trend Micro researchers have been monitoring a cyber espionage group known as
   Earth Simnavaz, also referred to as APT34 and OilRig, which has been actively
   targeting leading entities in the Middle East.
 * The group utilizes sophisticated tactics that include deploying backdoors
   that leverage Microsoft Exchange servers for credentials theft, and
   exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.
 * Earth Simnavaz's uses a combination of customized .NET tools, PowerShell
   scripts, and IIS-based malware to allow their malicious activity to blend in
   with normal network traffic and avoid traditional detection methods.
 * Their recent activity suggests that Earth Simnavaz is focused on abusing
   vulnerabilities in key infrastructure of geopolitically sensitive regions.
   They also seek to establish a persistent foothold in compromised entities, so
   these can be weaponized to launch attacks on additional targets.


Recently, Trend Micro has been tracking Earth Simnavaz (also known as APT34 and
OilRig), a cyber espionage group. This group primarily targets organizations in
the energy sector, particularly those involved in oil and gas, as well as other
infrastructure. It is known for using sophisticated tactics, techniques, and
procedures (TTPs) to gain unauthorized access to networks and exfiltrate
sensitive information.

In recent months, there has been a notable rise in cyberattacks attributed to
this APT group specifically targeting infrastructure in the Middle East region.
This escalation in activity underscores the group's ongoing commitment to
exploiting vulnerabilities within infrastructure frameworks in these
geopolitically sensitive areas.

Our latest research has identified  Earth Simnavaz’s deployment of a
sophisticated new backdoor, which bears striking similarities to malware related
to this APT group, as documented in our previous research. This new backdoor
facilitates the exfiltration of sensitive credentials, including accounts and
passwords, through on-premises Microsoft Exchange servers. Such tactics not only
reflect the group's evolving methodologies but also highlight the persistent
threat posed to organizations reliant on these platforms.

Moreover, Earth Simnavaz has been observed using the same technique of abusing
the dropped password filter policy as detailed in our earlier findings. This
technique enables attackers to extract clean-text passwords, further
compromising the integrity of targeted systems.

In addition to these methods, the group has leveraged a remote monitoring and
management (RMM) tool known as ngrok in their operations. This tool allows for
the seamless tunneling of traffic, providing attackers with an effective means
to maintain persistence and control over compromised environments.

The threat actors have also recently added CVE-2024-30088 to their toolset,
exploiting this vulnerability for privilege escalation in targeted systems.
Integrating this into their toolkit highlights Earth Simnavaz’s continuous
adaptation by exploiting newer vulnerabilities to make their attacks stealthier
and more effective.

Earth Simnavaz’s activities highlight the ongoing threat posed by
state-sponsored cyber actors, particularly in sectors vital to national security
and economic stability. As the threat landscape continues to evolve,
understanding the tactics these groups use is crucial for developing effective
defense strategies against such sophisticated adversaries.

ATTACK CHAIN

The initial point of entry for these attacks has been traced back to a web shell
uploaded to a vulnerable web server (Figure 1). This web shell not only allows
the execution of PowerShell code but also enables attackers to download and
upload files from and to the server, thereby expanding their foothold within the
targeted networks.

Once inside the network, the APT group leveraged this access to download the
ngrok remote management tool, facilitating lateral movement and enabling them to
reach the Domain Controller. During their operations, the group exploited
CVE-2024-30088 – the Windows Kernel Elevation of Privilege vulnerability – as a
means of privilege escalation, utilizing an exploit binary that was loaded into
memory via the open-source tool RunPE-In-Memory.

This allowed them to register a password filter DLL, which subsequently dropped
a backdoor responsible for exfiltrating sensitive data through the Exchange
server. The exfiltrated data was relayed to a mail address controlled by the
threat actor, effectively completing the infection chain and ensuring the
attackers maintained control over the compromised environment.

Figure 1. Attack chain
download

Earth Simnavaz has been known to leverage compromised organizations to conduct
supply chain attacks on other entities. We expected that the threat actor could
use the stolen accounts to initiate new attacks through phishing against
additional targets.

There is also a documented overlap between Earth Simnavaz and another APT group,
FOX Kitten. In August, an alert from the Cybersecurity and Infrastructure
Security Agency (CISA) highlighted FOX Kitten's role in enabling ransomware
attacks targeting organizations in the US and the Middle East. These threats
should be taken seriously, as the potential impact on compromised entities could
be significant.

OBSERVED TOOLSET AND TECHNIQUES

An initial infection was detected when a web shell was uploaded to a vulnerable
web server. This web shell extracts values from HTTP request headers ("func" and
"command"), as shown in Figure 2. By passing both arguments to other functions,
the web shell allows the threat actor to perform various actions (Table 1):

Command Function Execute PowerShell Command on infected server func=Exc &
Command= PW command to be executed Download specific file from infected server
func=Exc & Command= FilePath Upload File into infected server func=Exc & Command
= content of file to be written on infected server

Table 1. Capabilities provided by the web shell

Figure 2. Values extracted from HTTP request headers
download

The web shell also decrypts arguments received from the threat actor. It takes a
Base64-encoded, AES-encrypted string, decrypts it using a specified key and
initialization vector (IV), and returns the decrypted plaintext (Figure 3).

Figure 3. Decrypted string
download

The response sent back to the threat actor is encrypted using a different
function. This response is encrypted with AES using the given key IV. The
resulting encrypted string is Base64-encoded (Figure 4). 

Figure 4. Response sent back to the threat actor
download

EXPLOITING CVE-2024-30088 FOR PERSISTENCE

After the web shells were implanted on the victim machines, another file called
“r.exe” was dropped and executed. This is a simple loader that takes the first
argument as the input file, decodes it in one-byte-XOR operation, and executes
it. The codes in this loader were reused from an open-source tool (Figure 5).
The payload file was encoded to bypass traditional detection methods.

Figure 5. Decoding routine in r.exe
download

A payload file called “p.enc” comes with the loader under the same folder. The
decoded payload turns out to be a privilege escalation tool. As its PDB string
represents, this tool exploits CVE-2024-30088:

C:\Users\reymond\Desktop\CVE-2024-30088-main\x64\Release\poc.pdb

This vulnerability, which was patched in June, allows threat actors to run
arbitrary code in the context of SYSTEM and it works on multiple versions of
Windows 10 and 11.

Our analysis showed that the codes were reused from an open-source project
(Figure 6). By using RunPE-In-Memory, combined with CVE-2024-30088, the threat
actor was able to carry out their malicious actions stealthily.

Figure 6. Reused code
download

This privilege escalation tool is coded to execute another dropped executable
named “t.exe”, a .NET-compiled installer that creates persistence by using the
predefined task definition “e.xml”. The installed schedule task is for executing
the script “u.ps1”. The final “u.ps1” we collected seemed to be replaced with a
useless script, leading us to suspect that the threat actors intentionally
altered the script and disrupted the incident investigation.

Figure 7. Creating persistence using “e.xml”
download

ABUSING THE DROPPED PASSWORD FILTER POLICY

As mentioned earlier, the threat actor has been observed utilizing a tool
similar to one identified in our previous research on the same entity. This tool
exploits on-premises Exchange servers to exfiltrate credentials to email
accounts under their control.

Additionally, abusing the dropped password filter policy has been detected as a
method for acquiring credentials, which are then exfiltrated via email. Threat
actors can manipulate password filters to intercept or retrieve credentials from
domain users via domain controllers or local accounts on local machines. This
exploitation occurs because the password validation process necessitates the
plaintext password from the Local Security Authority (LSA).

Consequently, deploying and registering a malicious password filter can
facilitate credential harvesting each time a user updates their password. This
technique necessitates elevated privileges (local administrator access) and can
be executed through the following steps:

 1. Password Filter psgfilter.dll be dropped into C:\Windows\System32
 2. Registry key modification to register the Password Filter [DLL
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    Notification Packages = scecli, psgfilter]

By using this technique, the threat actor can capture and harvest every password
from compromised machines, even after they have been modified. The malicious DLL
includes three exported functions (Figure 9) that facilitate the primary
functionality of registering the DLL with the LSA (Figure 8):

 * InitializeChangeNotify: Indicates that a password filter DLL is initialized.
 * PasswordChangeNotify: Indicates that a password has been changed.
 * PasswordFilter: Validates a new password based on password policy.

Figure 8. Registering the DLL with the LSA
download
Figure 9. Functions exported by DLL
download

The malicious actor took great care in working with the plaintext passwords
while implementing the password filter export functions. Similar to the incident
in our previous research, the threat actor also utilized plaintext passwords to
gain access and deploy tools remotely.  The plaintext passwords were first
encrypted before being exfiltrated when sent over networks.

EXFILTRATING DATA THROUGH LEGITIMATE MAIL TRAFFIC

The primary function of the exfiltration tool (identified by Trend Micro as
STEALHOOK involves retrieving valid domain credentials from a specific location,
which it then uses to access the Exchange Server for data exfiltration. The key
objective of this stage is to capture the stolen passwords and transmit them to
the attackers as email attachments. Additionally, we observed that the threat
actors leverage legitimate accounts with stolen passwords to route these emails
through Exchange Servers.

The backdoor exhibits significant similarities to one previously attributed to
the same group in our earlier research. The main functionalities of the backdoor
can be categorized as follows:


 * Retrieving User Credentials (Figure 10) – Calls the GetUserPassFromData
   function to retrieve the username and password needed for authentication from
   this file: C:\ProgramData\WindowsUpdateService\UpdateDir\edf 

Figure 10. The backdoor retrieving user credentials
download
 * Retrieving Email Sending Data (Figure 11) – Calls the GetSendData function to
   retrieve necessary configuration data for sending an email from this file:
   C:\ProgramData\WindowsUpdateService\UpdateDir\edf 
   
   
   * Server: The specific Exchange mail server for the targeted victim where the
     data is leaked through.
   * Target: The email addresses through which the malicious actors receive the
     exfiltrated data.
   * Domain: The internal active directory (AD) domain name related to the
     targeted entity.

Figure 11. The backdoor retrieving email sending data
download
 * Sending Email (Figure 12) – If the configuration data retrieval is
   successful, the program constructs a message containing the user credentials
   and the configuration data. The email is sent with a specified subject and
   body, and all files in the following directory are attached:
   C:\ProgramData\WindowsUpdateService\UpdateDir
   * Email Subject:  "Update Service"
   * Body: "Update Service Is Running..."

Figure 12. The backdoor sending emails
download

USING RMM TOOLS

The threat actor recently upgraded their toolkit by incorporating RMM tools such
as ngrok in their latest attacks. Ngrok is a legitimate tool used to create
secure tunnels from a local machine to the internet, allowing access to internal
services through public URLs. However, cyber attackers can exploit ngrok to
bypass firewalls and network security controls for malicious purposes. They may
use it to establish command-and-control (C&C) communication, exfiltrate
sensitive data, or deploy payloads by creating undetected tunnels between
compromised machines and their servers, making it harder for security teams to
detect suspicious activity.

The ngrok tool was downloaded onto the server using a PowerShell script (Figure
13), after which a WMI command was utilized to authenticate to a remote server,
copy the file, and execute it remotely.

Figure 13. Downloading ngrok
download

It appears that the threat actor utilized this tool in the later stages of the
attack, leveraging a valid account and password for authentication. These
credentials were likely obtained during earlier phases of the operation, in
which accounts and passwords were stolen and exfiltrated.

ATTRIBUTION

Multiple data points and indicators attribute this attack to Earth Simnavaz,
with evidence showing that the group remains active, specifically targeting
Middle Eastern countries. This campaign, like that in our previously reported
research, involved the targeting of Exchange servers and relaying communications
through them. A significant similarity has been observed at both the code and
functionality levels between the Exchange backdoor used in this attack and the
one seen in the earlier campaign. Additionally, both tools share characteristics
with the Karkoff backdoor, which is also linked to the same threat actors and
exploits the Exchange Web Services (EWS) API for malicious activities. Earth
Simnavaz’s tactics also overlap with that of FOX Kitten, another threat group
which likewise has been observed using the RMM tool ngrok.

TREND MICRO VISION ONE THREAT INTELLIGENCE 

To stay ahead of evolving threats, Trend Micro customers can access a range of
Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat
Insights helps customers stay ahead of cyber threats before they happen and be
better prepared for emerging threats. It offers comprehensive information on
threat actors, their malicious activities, and the techniques they use. By
leveraging this intelligence, customers can take proactive steps to protect
their environments, mitigate risks, and respond effectively to threats.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

Advanced Cyberattacks Against Gulf Regions

Earth Simnavaz Levies Advanced Cyberattacks Against Gulf Regions

Trend Micro Vision One Threat Insights App

Threat Actor/s:  Earth Simnavaz

Emerging Threat:  Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks
Against Middle East

CONCLUSION

APT groups like Earth Simnavaz have become increasingly active, particularly in
targeting infrastructure in the Middle East. Based on the group’s toolset and
activities, it’s evident that they aim to establish a persistent presence within
compromised entities, using the affected infrastructure to launch further
attacks on additional targets. Their primary goals appear to be espionage and
the theft of sensitive information.

Earth Simnavaz continues to rely on IIS-based malware such as web shells,
customized .NET tools, and PowerShell scripts as core components of their attack
arsenal. Recent campaigns have confirmed this technique remains actively in use.
Geopolitical tensions likely play a significant role in this surge, so the
Middle East should take these threats seriously. Earth Simnavaz’s approach
involves blending into normal network activity and customizing its malware to
avoid detection.

Intelligence-driven incident response will be essential in effectively managing
and mitigating these types of attacks. While the group’s techniques haven’t
evolved drastically, implementing a Zero Trust architecture, alongside mature
SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against
threats like that posed by Earth Simnavaz.

INDICATORS OF COMPROMISE (IOCS)

SHA-256 Detection Description
6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef
Trojan.PS1.DULLDROP.I624 temp.ps1
b3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897
Trojan.Win64.DULLOAD.I t.exe
abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d
Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx
43c83976d9b6d19c63aef8715f7929557e93102ff0271b3539ccf2ef485a01a7 N/A u.ps1
ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5
Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx
7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49 N/A
Microsoft.Exchange.WebServices.dll
c0189edde8fa030ff4a70492ced24e325847b04dba33821cf637219d0ddff3c9
Backdoor.ASP.DULLWSHELL.I624 Logout.aspx
6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112
HackTool.Win64.CVE202430088.I p.enc
db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91
TrojanSpy.MSIL.STEALHOOK.A Update.dll
27a0e31ae16cbc6129b4321d25515b9435c35cc2fa1fc748c6f109275bee3d6c Contains the
task of  that t.exe source e.xml
54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498
Trojan.Win64.DULLOAD.I r.exe
a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7
Trojan.Win64.STEALHOOK.A passwin.dll
1169d8fe861054d99b10f7a3c87e3bbbd941e585ce932e9e543a2efd701deac2
HackTool.PS1.DullScan.I p.ps1
af979580849cc4619b815551842f3265b06497972c61369798135145b82f3cd8
Trojan.PS1.DULLDROP.I j.ps1
1d2ff65ac590c8d0dec581f6b6efbf411a2ce5927419da31d50156d8f1e3a4ff
Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx
abfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d
Backdoor.ASP.DULLWSHELL.I624 s.inc
98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301 Renamed Ngrok
n.exe ca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5
Backdoor.ASP.DULLWSHELL.I624 Globals.aspx

Tags
APT & Targeted Attacks | Articles, News, Reports | Research


AUTHORS

 * Mohamed Fahmy
   
   Threat Researcher

 * Bahaa Yamany
   
   Sr. Incident Response Analyst

 * Ahmed Kamal
   
   Sr. Incident Response Analyst

 * Nick Dai
   
   Sr. Threat Researcher

Contact Us
Subscribe


RELATED ARTICLES

 * AI Configuration Best Practices to address AI Security Risks
 * The Road to Agentic AI: Exposed Foundations
 * MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s
   Multi-Platform Attacks

See all articles


Experience our unified platform for free


 * Claim your 30-day trial

 * 
 * 
 * 
 * 
 * 


RESOURCES

 * Blog
 * Newsroom
 * Threat Reports
 * Find a Partner
 * 
 * 


SUPPORT

 * Business Support Portal
 * Contact Us
 * Downloads
 * Free Trials
 * 
 * 


ABOUT TREND

 * About Us
 * Careers
 * Locations
 * Upcoming Events
 * Trust Center
 * 

Country Headquarters

Trend Micro - United States (US)

225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062

Phone: +1 (817) 569-8900

Select a country / region

United States expand_more
close

THE AMERICAS

 * United States
 * Brasil
 * Canada
 * México

MIDDLE EAST & AFRICA

 * South Africa
 * Middle East and North Africa

EUROPE

 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

ASIA & PACIFIC

 * Australia
 * Центральная Азия (Central Asia)
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)
 * Malaysia
 * Монголия (Mongolia) and рузия (Georgia)
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

Privacy | Legal | Accessibility | Terms of Use | Site map

Copyright ©2024 Trend Micro Incorporated. All rights reserved

Copyright ©2024 Trend Micro Incorporated. All rights reserved


sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk

This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept

✓
Tak fordi du delte!
AddToAny
Mere…


BDOW!
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1