Alleged Iranian hackers caught targeting Jordan’s foreign ministry

Cybersecurity researchers with Malwarebytes said they discovered a malicious email targeting a government official at Jordan’s foreign ministry, and it appeared to originate from a prolific threat group allegedly based in Iran. 

The company’s threat intelligence team said Tuesday it identified the suspicious message on April 26. It contained a malicious Excel document that delivered Saitama, a new hacking tool used to provide a backdoor into systems. 

Jordan's Foreign Ministry did not respond to requests for comment.

Malwarebytes attributed the email to a threat group commonly known as APT34, which experts believe is based in Iran and has been seen targeting other Middle Eastern countries since at least 2014. The group has been given several names by cyber companies — including OilRig, Cobalt Gypsy, IRN2 and Helix Kitten — and has mostly targeted government organizations and businesses in the financial, energy, chemical and telecommunications sectors.

“The malicious email was sent to the victim via a Microsoft Outlook account with the subject ‘Confirmation Receive Document’ with an Excel file called ‘Confirmation Receive Document.xls.’ The sender pretends to be a person from the Government of Jordan by using its coat of arms as a signature,” the report explained. 

Victims are tricked into enabling a macro while malicious code silently runs. The Excel document shows a decoy sheet containing the Government of Jordan's coat of arms. pic.twitter.com/5dV8DtVLPb

— Malwarebytes Threat Intelligence (@MBThreatIntel) May 10, 2022

The researchers attributed the campaign to APT34 because the malicious documents used in the attack resembled previous campaigns identified last year by other cybersecurity companies, including Check Point. 

“More specifically similar to what was mentioned in Check Point’s report this maldoc registers a scheduled task that would launch the executable every X minutes, also it uses the same anti sandboxing technique (checking if there is a mouse connected to the PC or not),” Malwarebytes explained.

The researchers also said they saw "a similar pattern to beacon back to the attacker server and inform the attacker about the current stage of execution."

Malwarebytes also identified several indicators and similarities that were connected to past campaigns targeting Jordan and others. Cybersecurity firm Mandiant previously tied APT34 to a campaign targeting banks in the Middle East. 

The Saitama backdoor abuses the Domain Name System (DNS) protocol, which helps internet users and network devices discover websites using human-readable hostnames instead of numeric IP addresses.

Malwarebytes said Saitama is stealthier than other backdoors because it abuses the DNS protocol for its command and control communications as opposed to other communication methods. 

There are also indications that the malware “was clearly targeted and also indicates that the actor has some previous knowledge about the internal infrastructure of the victim,” according to Malwarebytes.