New APT34 Malware Targets The Middle East

We found the initial stage .Net dropper malware called MrPerfectInstaller (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) responsible for dropping four different files, with each component stored in a Base64 buffer inside the main dropper. It drops the following:

1. %System%\psgfilter.dll: The password filter dynamic link library (DLL) used to provide a way to implement the password policy and change notification
2. %ProgramData%\WindowsSoftwareDevices\DevicesSrv.exe: The main .Net responsible for exfiltrating and leaking specific files dropped into the root path of this backdoor execution. This backdoor requires the .Net library implementing Microsoft Exchange webservices to authenticate with the victim mail server and exfiltrate through it.
3. %ProgramData%\WindowsSoftwareDevices\Microsoft.Exchange.WebServices.dll: The library to support the second component’s capability.
4. %ProgramData%\WindowsSoftwareDevices\DevicesSrv.exe.config: An app configuration file for runtimes of the .Net execution environment. This allows the option of falling back to .Net 2.0.

The dropper also adds the following registry key to assist in implementing the password filter dropped earlier:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
Notification Packages = scecli, psgfilter

The main .Net binary implements two arguments for its operation: the first argument for installing the second stage, and the second argument for uninstalling it and unregistering the password filter dropped.

Second Stage:  Abusing The Dropped Password Filter Policy

Microsoft introduced Password Filters for system administrators to enforce password policies and change notifications. These filters are used to validate new passwords, confirm that these are aligned with the password policy in place, and ensure that no passwords in use can be considered compliant with the domain policy but are considered weak.

These password filters can be abused by a threat actor as a method to intercept or retrieve credentials from domain users (domain controller) or local accounts (local computer). This is because for password filters to perform, password validation requires the password of the user in plaintext from the Local Security Authority (LSA). Therefore, installing and registering an arbitrary password filter could be used to harvest credentials every time a user changes his password. This technique requires elevated access (local administrator) and can be implemented with the following steps:

1. Password Filter psgfilter.dll be dropped into C:\Windows\System32
2. Registry key modification to register the Password Filter [DLL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
   Notification Packages = scecli, psgfilter]

Using this technique, the malicious actor can capture and harvest every password from the compromised machines even after the modification. The DLL has three export functions to implement the main functionality of support for registering the DLL into the LSA, as follows:

• InitializeChangeNotify: Indicates that a password filter DLL is initialized.
• PasswordChangeNotify: Indicates that a password has been changed.
• PasswordFilter: Validates a new password based on password policy.

When implementing the password filter export functions, the malicious actor took great care working with the plaintext passwords. When sent over networks, the plaintext passwords were first encrypted before being exfiltrated.

Data Exfiltration Through Legitimate Mail Traffic

The main backdoor function (detected by Trend Micro as Backdoor.MSIL.REDCAP.A) receives the valid domain credentials as an agrument and uses it to log on to the Exchange Server and use it for data exfilteration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords.

First, the .Net backdoor parses a config file dropped in the main root path where it is executing from and checks for a file callled ngb inside <%ProgramData%\WindowsSoftwareDevices\DevicesTemp\> to extract three parameters:

• Server: The specific Exchange mail server for the targeted government entity where the data is leaked through.
• Target: The email addresses where the malicious actors receive the exfiltrated data in.
• Domain: The internal active directory (AD) domain name related to the targeted government entity in the Middle East.

However, the malware also supports for the modification of old passwords to new ones, which are sent through the registered DLL password filter.

The malware proceeds to initialize an ExchangeService object in the first step and supplies the stolen credentials as WebCredentials to interface with the victim mail server in the second step. Using these Exchange Web Service (EWS) bindings, the malicious actor can send mails to external recipients on behalf of any stolen user and initialize a new instance of the WebCredentials class with the username and password for the account to authenticate.

The malware then iterates through the files found under the target path. For each file found, it adds its path to a list, which will be exfilterated later in the last step.

The final stage is to iterate over the collected list of file paths. For each path, it prepares an EmailMessage object with the subject “Exchange Default Message”, and a mail body content of “Exchange Server is testing services.” The iteration attaches the whole file to this EmailMessage object and sends it using the previous initalized EWS form (Steps 1 and 2 in Figure 10), which already authenticated the user account.

APT34 Targeting and Arsenal Evolution

APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection of their arsenal: Shifting to new data exfilteration techniques — from the heavy use of DNS-based command and control (C&C) communication to combining it with the legitimate simple mail transfer protocol (SMTP) mail traffic — to bypass any security policies enforced on the network perimeters.

From three previously documented attacks, we observed that while the group uses simple malware families, these deployments show the group’s flexibility to write new malware based on researched customer environments and levels of access. This level of skill can make attribution for security researchers and reverse engineers more difficult in terms of tracking and monitoring because patterns, behaviors, and tools can be completely different for every compromise.

For instance, in the two separate attacks using Karkoff (detected by Trend Micro as Backdoor.MSIL.OILYFACE.A) in 2020 and Saitama (detected by Trend Micro as Backdoor.MSIL.AMATIAS.THEAABB) in 2022, the group used macros inside Excel files as part of the first stage to send phishing emails since the group did not have access to the enterprise yet. Contrary to this newest compromise, however, the first stage was rewritten completely in DotNet and executed by the actor directly.

Moreover, Karkoff malware has a full backdoor module using a government exchange server as a communication channel via send/received commands over an exchanged server, and used a hardcoded account to authenticate the said communication. Compared to the new malware, the latest compromise seems to be rewritten to use the same technique but only to exfiltrate data over the mail channel. Aside from using hardcoded accounts as exchange accounts, APT34 can add a new module that can monitor changes in passwords and use the new accounts to send mails, exfiltrating data via Microsoft Exchange servers.

Based on a 2019 report on APT34, the top countries targeted by the group are:

• The United Arab Emirates
• China
• Jordan
• Saudi Arabia

While not at the top of the group’s list, other countries in the Middle East considered as targets are Qatar, Oman, Kuwait, Bahrain, Lebanon, and Egypt.

Attribution Analysis

There are several data points and indicators that suggest APT34 carried out this attack, and that this group is still active in targeting countries in the Middle East with a special focus on compromising government entities.

1.     The first stage dropper

The first stage dropper between the Saitama backdoor and this new operation’s first stage .Net dropper have a few similarities. Despite the dated Saitama operation’s first stage dropper, a VBA macro that drops the actual .Net backdoor Saitama malware, the new attack implemented in the group’s latest deployment is a .Net dropper that drops the actual malware. Both deployments’ final stages leverage EWS’ Managed API (Microsoft.Exchange.WenServices.dll).

2.     Leveraging exchange servers for communications (Uni- and bidirectional)

Both this campaign and the Karkoff campaign made use of targeted exchange servers and relayed communications through it. In the previous campaign, this was reportedly done with the deployment of the Karkoff implant. The old Karkoff sample attributed to APT34 share a common functionality for abusing the EWS API.

3.      The victim targeted

APT34 has been documented for targeting countries in the Middle East. In a previous campaign analyzed by Yoroi Labs, the Karkoff sample (SHA256: 1f47770cc42ac8805060004f203a5f537b7473a36ff41eabb746900b2fa24cc8) attributed to APT34 has the mail server domain hardcoded inside the sample. Alongside the target mail recipient the attackers receive information from is the same hardcoded mail server domain found in the latest backdoor, including the targeted Exchange Server for a government ministry. Both samples included some hardcoded credentials as well. However, the newer backdoor includes support for stealing the new passwords of previously compromised users who changed their passwords, ensuring their legitimate accounts stay compromised.

Conclusions

At first glance, security teams can mistakenly tag the sample as safe or as a benign activity given the validity of the domains and mail credentials. It will take more experienced analysts to see that the domains abused is part of a bigger active directory domain “forest”, which share a trust relationship with each other to allow different government ministries or agencies to communicate. Considering we found a compromised account from one entity inside a sample sourced from a different agency indicates APT34 now has a deep foothold in the government domain forest.

Following the stages executed, APT34’s repeated use of the Saitama backdoor technique in the first stage indicates a confidence that even the dated malware’s technique will continue to work and initiate compromise.

The next stages for exfiltrating data, however, are considerably new and are considered exploratory for the group. Despite the routine’s simplicity, the novelty of the second and last stages also indicate that this entire routine can just be a small part of a bigger campaign targeting governments. We continue tracking and monitoring the abuse of this threat to determine the depth and breadth of this compromise.

Indicators of Compromise (IOCs)

Emails abused

• Jaqueline[.]Herrera@proton[.]me
• Ciara[.]Stoneburner@proton[.]me
• marsha[.]fischer556@gmail[.]com
• Kathryn[.]Firkins@proton[.]me
• Susan[.]potts454@proton[.]me
• Earl[.]butler945@gmail[.]com