Iranian Hackers Target LinkedIn Users with Malware Attack

Iranian Hacker Group APT34 Target LinkedIn Users with Three New Malware

Iranian hackers have launched a new malware attack. The cyber attack is initiated from social networking site, LinkedIn, and begins with an invitation to connect online. When the recipient accepts the LinkedIn connection, the hacker then attempts to trick the user into downloading malicious files. The malware attack was discovered in June by cyber security research firm FireEye. The cyber attack is being carried out by Advanced Persistent Threat Group APT34 which is an Iranian state sponsored hacking organization.

In this LinkedIn malware attack an invitation to connect is sent via LinkedIn’s platform. The profile that initiates the connection states the LinkedIn user is member of Cambridge University. I received one of these invitations (below). Depending on their user settings, victims may also receive the connection invitation as an email. Masquerading as a member of Cambridge University the hacker sends a very business looking message in an attempt to get the recipient to open malicious documents.

Hacker LInkedIn Connection Malware
Hacker LInkedIn Connection Malware

Iranian Hacking Skills Evolve

The FireEye post stated that, “The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.” This attack indicates Iran has advanced by added three new malwares to thier hacking tools. After a victim accepts the LinkedIn connection, the hacker sends a private message asking the target to check the accuracy of a supposed business file. In the sample contained by FireEye, the attachment is a malicious Microsoft Excel spreadsheet (seen in the LinkedIn screenshot from FireEye). The Excel spreadsheet drops a MS Word document located in C:\Users\\.templates which is really and executable files. The executable file creates scheduled tasks and collects data on the infected machine.

Heimdel Malware Protection
Heimdel Malware Protection

Three malwares are used in this cyber attack. The goal appears to be to collect infected system information, upload files and to download more malware.

  • VALUEVAULT allows hackers to extract and view the credentials stored in the Windows Vault. It also extracts browser history to match web browser login credentials with websites
  • LONGWATCH malware is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder
  • TONEDEAF is a new malware that establishes a backdoor used to communicate hacked data using HTTP or DNS
  • A variant of PICKPOCKET malware was also identified. PICKPOCKET is a browser credential-theft tool.

    APT34 LinkedIn Message FireEye
    APT34 LinkedIn Message FireEye

    What is an APT Group?

    An Advanced Persistent Threat Group (APT) is an organized group of hackers many of which are under the direction of a government agency. They are often given other names by cyber security researchers like Fancy Bear and Refined Kitten. APT34 is also called Oilrig and HelixKitten. Many APT groups conduct cyber espionage on behalf of their sponsoring organizations, steal technology, and money to help pay for other activities. APT groups target large corporations and other governments. They tend to proceed with a “low and slow” strategy rather than fast, brute force attacks. This approach allows their attacks to go undetected for years. APT33 is another one of Iran’s hacking groups.

    Who is APT34?

    APT34 is an Iranian state sponsored hacking group active since at least 2014. The hacking group focuses on data collection and attacks targets in the Middle East focusing on the financial sector, energy, utilities, oil and gas industries as well as government entities. However, with recent tensions between the United States and Iran and Britain and Iran, it is expected that APT34 cyber attacks against the US and European targets will increase. Recently the United States and Iran traded a volley of hacking attempts. The US intended to disable Iranian military missile guidance systems.

    What is Malware?

    Malware is any unwanted computer code, app, or file that is downloaded to a laptop, router, smartphone, or other internet device. Malware has a malicious intent and can be used for anything from downloading more malware, to spying on the activities of the device, transmitting data about the device’s owner, and stealing banking credentials or credit card numbers. Malware can infect an electronic device without the owner’s knowledge. Many times, malware is delivered via a phishing email and social engineering is often used as part of the initial attack vector.

    How do I Protect Myself Against Malware?

    Decline APT34’s LinkedIn invitation to join their professional network. Do not accept suspicious or incomplete looking profiles as connections.

    I did receive a suspicious looking LinkedIn connection (above) from someone who supposedly worked at Cambridge University. I did not accept it because it seemed sketchy because of a person working for a University in Boston stating their location is New York. Although remote work is possible, it warranted further scrutiny of their full profile. Their user profile was not complete and so I rejected it. Whne I checked back to write this post, the profile was unavailable.