• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new saitama backdoor targeted official from jordan's foreign ministry

New Saitama backdoor Targeted Official from Jordan’s Foreign Ministry

You are here: Home / General Cyber Security News / New Saitama backdoor Targeted Official from Jordan’s Foreign Ministry
May 13, 2022

A spear-phishing marketing campaign focusing on Jordan’s overseas ministry has been noticed dropping a new stealthy backdoor dubbed Saitama.

Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage menace actor tracked less than the moniker APT34, citing resemblances to previous strategies staged by the team.

“Like quite a few of these attacks, the email contained a malicious attachment,” Fortinet researcher Fred Gutierrez stated. “Having said that, the hooked up threat was not a backyard-assortment malware. Instead, it experienced the abilities and techniques typically linked with highly developed persistent threats (APTs).”

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is recognised to be lively considering the fact that at least 2014 and has a track document of hanging telecom, federal government, defense, oil, and economical sectors in the Center East and North Africa (MENA) by using qualified phishing attacks.

Previously this February, ESET tied the group to a very long-operating intelligence gather procedure aimed at diplomatic corporations, technology organizations, and health care organizations in Israel, Tunisia, and the United Arab Emirates.

Saitama backdoor

The freshly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a likely target to enable macros, foremost to the execution of a malicious Visual Primary Software (VBA) macro that drops the malware payload (“update.exe”).

On top of that, the macro will take treatment of creating persistence for the implant by including a scheduled activity that repeats every 4 hours.

A .NET-based binary, Saitama leverages the DNS protocol for its command-and-handle (C2) communications as section of an hard work to disguise its traffic, while utilizing a “finite-state equipment” tactic to executing commands received from a C2 server.

CyberSecurity

“In the conclusion, this generally signifies that this malware is receiving responsibilities within a DNS reaction,” Gutierrez stated. DNS tunneling, as it is referred to as, would make it attainable to encode the details of other plans or protocols in DNS queries and responses.

In the last phase, the results of the command execution are subsequently sent back again to the C2 server, with the exfiltrated knowledge developed into a DNS ask for.

“With the volume of work put into creating this malware, it does not surface to be the form to execute the moment and then delete by itself, like other stealthy infostealers,” Gutierrez explained.

“Potentially to prevent triggering any behavioral detections, this malware also does not produce any persistence procedures. Rather, it relies on the Excel macro to create persistence by way of a scheduled endeavor.”

Identified this short article interesting? Stick to THN on Fb, Twitter  and LinkedIn to examine far more unique written content we submit.


Some parts of this short article are sourced from:
thehackernews.com

Previous Post: «the rise of double extortion ransomware The rise of double extortion ransomware
Next Post: Open Source Community Hands White House 10-Point Security Plan Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • CISA Unveils Ransomware Notification Initiative
  • WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
  • GitHub Updates Security Protocol For Operations Over SSH
  • Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
  • Some GitHub users must take action after RSA SSH host key exposed
  • THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
  • Pension Protection Fund confirms employee data exposed in GoAnywhere breach
  • GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations
  • Now UK Parliament Bans TikTok from its Network and Devices
  • IRS Phishing Emails Used to Distribute Emotet

Copyright © TheCyberSecurity.News, All Rights Reserved.