Last week, FireEye reported a phishing campaign which they had identified and traced back to the Iranian group APT34. It's an interesting case which really highlights how social engineering methods have evolved way beyond traditional email phishing, combined with fantastic technical analysis from the team at FireEye.
How did the social engineering part work?
According to FireEye, APT34 used a fake LinkedIn profile going by the name "Rebecca Watts" and masquerading as research staff at the University of Cambridge to target people working in three sectors: energy and utilities, government, and oil and gas. "Rebecca Watts" used LinkedIn to apparently solicit resumes for potential job opportunities and then sent the target an excel spreadsheet with an embedded exploit.
How did the technical exploit work?
Multiple tools are used in this exploit, they consist of the following, in this order: TONEDEAF Dropper, TONEDEAF, VALUEVAULT, LONGWATCH and finally PICKPOCKET Using a domain that looked like it belonged to the esteemed University of Cambridge hxxp[://]www[.]cam-research-ac[.]com the LinkedIn profile linked to an excel spreadsheet called "ERFT-Details.xls". This is what is known as the TONEDEAF Dropper. This spreadsheet included VBA Code to create a system.doc file and another piece of code then created a scheduled task to run "System Manager.exe". Finally, before closing, the final piece of code renamed the "system.doc" file to "System Manager.exe". TONEDEAF is now installed and running on the infected device.
This effectively creates the file and causes it to run every five minutes. This code then communicates with a Command & Control (C2) service running on the following domain offlineearthquake[.]com.
The TONEDEAF service then runs the following tools:
VALUEVAULT steals stored credentials from browsers and pulls out browser history to enable matching of credentials to websites
LONGWATCH basically a keylogger of everything typed on the device
PICKPOCKET steals login credentials stored in Internet Explorer, Firefox and Chrome
All of the stolen data taken by the above three tools is then exfiltrated out to the C2 server into the hands of the group.
What can we learn from this case?
This case is a reminder that social engineering does not just take place over email. Perhaps you're starting to shape your messages for Cyber Security Awareness Month in October; if so consider referencing cases such as this, which highlight the need to be vigilant of communications across all platforms, including social media sites such as LinkedIn and Twitter, and messaging apps such as WhatsApp. We need to be wary of links and attachments regardless of the medium through which they are shared.
From a technical standpoint making sure your Intrusion Detection Systems (IDS) are up-to- date and logging is not only turned on but being monitored. Check that antivirus is running and up to date. Make sure that macros are disabled by default and, again, consider this as a message for your awareness-raising activities.
The message sent by "Rebecca Watts" started with the line "Really I'm very busy now", which is a clever little psychological trick. It humanises the profile, potentially making her seem more believeable than a "hard sell" approach. It puts an obstacle in the way of the recipient asking for more information or questioning "Rebecca". Likewise, by choosing the University of Cambridge as her purported employer, the attackers co-opted the credibility of this world-renowned institution. Flattery and authority are powerful social engineering tools, used in many attacks. In short, the attackers used tricks that make us more likely to click. Cyber criminals understand what makes us more susceptible to social engineering; we need to harness that understanding in building our defences.
For more information on FireEye's discovery and analysis, read their detailed blogpost.
I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…
I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…