What we can learn from APT34 using a fake University of Cambridge LinkedIn profile
Updated: Jan 22
Last week, FireEye reported a phishing campaign which they had identified and traced back to the Iranian group APT34. It's an interesting case which really highlights how social engineering methods have evolved way beyond traditional email phishing, combined with fantastic technical analysis from the team at FireEye.
How did the social engineering part work?
According to FireEye, APT34 used a fake LinkedIn profile going by the name "Rebecca Watts" and masquerading as research staff at the University of Cambridge to target people working in three sectors: energy and utilities, government, and oil and gas. "Rebecca Watts" used LinkedIn to apparently solicit resumes for potential job opportunities and then sent the target an excel spreadsheet with an embedded exploit.
How did the technical exploit work?
Multiple tools are used in this exploit, they consist of the following, in this order: TONEDEAF Dropper, TONEDEAF, VALUEVAULT, LONGWATCH and finally PICKPOCKET Using a domain that looked like it belonged to the esteemed University of Cambridge hxxp[://]www[.]cam-research-ac[.]com the LinkedIn profile linked to an excel spreadsheet called "ERFT-Details.xls". This is what is known as the TONEDEAF Dropper. This spreadsheet included VBA Code to create a system.doc file and another piece of code then created a scheduled task to run "System Manager.exe". Finally, before closing, the final piece of code renamed the "system.doc" file to "System Manager.exe". TONEDEAF is now installed and running on the infected device.
This effectively creates the file and causes it to run every five minutes. This code then communicates with a Command & Control (C2) service running on the following domain offlineearthquake[.]com.
The TONEDEAF service then runs the following tools:
VALUEVAULT steals stored credentials from browsers and pulls out browser history to enable matching of credentials to websites
LONGWATCH basically a keylogger of everything typed on the device
PICKPOCKET steals login credentials stored in Internet Explorer, Firefox and Chrome
All of the stolen data taken by the above three tools is then exfiltrated out to the C2 server into the hands of the group.
What can we learn from this case?
This case is a reminder that social engineering does not just take place over email. Perhaps you're starting to shape your messages for Cyber Security Awareness Month in October; if so consider referencing cases such as this, which highlight the need to be vigilant of communications across all platforms, including social media sites such as LinkedIn and Twitter, and messaging apps such as WhatsApp. We need to be wary of links and attachments regardless of the medium through which they are shared.
From a technical standpoint making sure your Intrusion Detection Systems (IDS) are up-to- date and logging is not only turned on but being monitored. Check that antivirus is running and up to date. Make sure that macros are disabled by default and, again, consider this as a message for your awareness-raising activities.
The message sent by "Rebecca Watts" started with the line "Really I'm very busy now", which is a clever little psychological trick. It humanises the profile, potentially making her seem more believeable than a "hard sell" approach. It puts an obstacle in the way of the recipient asking for more information or questioning "Rebecca". Likewise, by choosing the University of Cambridge as her purported employer, the attackers co-opted the credibility of this world-renowned institution. Flattery and authority are powerful social engineering tools, used in many attacks. In short, the attackers used tricks that make us more likely to click. Cyber criminals understand what makes us more susceptible to social engineering; we need to harness that understanding in building our defences.
For more information on FireEye's discovery and analysis, read their detailed blogpost.