APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways.1
- APT34 - 1
- Deobfuscate/Decode Files or Information - APT34 has used certutil to decode base64-encoded files on victims.1
- Credential Dumping - APT34 has dumped credentials from victims in several ways, including by using open source tools Mimikatz and Lazagne, or by harvesting credentials when users log into Outlook Web Access.2
- Network Service Scanning - APT34 has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.2
- Remote Desktop Protocol - APT34 uses Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.2
- Standard Application Layer Protocol - APT34 malware often uses HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.2
- Standard Cryptographic Protocol - APT34 used the Plink utility and other tools to create tunnels to C2 servers.2
- External Remote Services - APT34 uses remote services such as VPN, Citrix, or OWA to persist in an environment.2
- Password Policy Discovery - APT34 has used net.exe in a script with
net accounts /domainto find the password policy of a domain.3
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.