Alleged Iranian hackers target victims in Saudi Arabia with new spying malware

Suspected Iranian hackers recently launched a new cyber espionage operation, infecting their victims with the newly discovered Menorah malware, according to a report published Friday.

The hacking group APT34, also known as OilRig, Cobalt Gypsy, IRN2 and Helix Kitten, is believed to be based in Iran. It has been targeting Middle Eastern countries since at least 2014, mostly focusing on government organizations and businesses in the financial, energy, chemical, and telecommunications sectors.

In their most recent campaign, which began in August, the hackers sent phishing emails to victims believed to be based in Saudi Arabia, ultimately infecting them with the Menorah malware, according to researchers from Trend Micro.

The group’s malware is designed for cyber espionage: It can upload selected files from a compromised device, execute shell commands, and download files to the system.

According to a report, APT34's new malware resembles the SideTwist backdoor, which the group had used before. The new variant, however, has more features and is harder to detect.

“APT34 is in continuous-development mode, changing up and trying which routines and techniques will work,” the researchers said.

During the investigation, Trend Micro could obtain only very limited information about the victims targeted by APT34. Their phishing emails used a fake file registration form associated with the Seychelles Licensing Authority. This document had pricing information in Saudi Arabian currency, suggesting that the targeted victim was likely based in Saudi Arabia, according to the report.

APT34 has previously been involved in high-profile cyberattacks against various targets in the Middle East. Last year, it targeted a government official at Jordan’s foreign ministry with Saitama backdoor. In 2021, the group launched attacks on several banks in the Middle East.

“This group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond,” the researchers said.