Saitama’s New Backdoor Targeted a Jordanian Foreign Ministry Official
A spear phishing campaign targeting the Jordanian Foreign Ministry has been observed dropping a new stealth backdoor dubbed Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage actor tracked as APT34, citing similarities to past campaigns organized by the group.
“Like many of these attacks, the email contained a malicious attachment,” said Fortinet researcher Fred Gutierrez. “However, the attached threat was not common malware. Instead, it possessed the capabilities and techniques typically associated with Advanced Persistent Threats (APTs).”
APT34, also known as OilRig, Helix Kitten and Cobalt Gypsy, has been known to be active since at least 2014 and has a proven track record in the telecommunications, government, defense, oil and finance sectors in the Middle East and North Africa (MENA) via targeted phishing attacks.
Earlier in February, ESET linked the group to a long-running intelligence-gathering operation aimed at diplomatic organizations, tech companies and medical organizations in Israel, Tunisia and the United Arab Emirates.
The recently observed phishing message contains a weaponized, opening Microsoft Excel document that prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic (VBA) application macro that drops the payload from the malware (“update.exe”).
Additionally, the macro takes care of establishing the persistence of the implant by adding a scheduled task that repeats every four hours.
A .NET-based binary, Saitama leverages the DNS protocol for its command and control (C2) communications as part of an effort to obfuscate its traffic, while employing a “finite state machine” approach to run the commands received from a C2 server.
“Ultimately, that basically means this malware is receiving tasks in a DNS response,” Gutierrez explained. DNS tunneling, as it is called, encodes data from other programs or protocols into DNS queries and responses.
In the final step, the results of the command execution are then sent back to the C2 server, with the exfiltrated data incorporated into a DNS query.
“With the amount of work that has gone into developing this malware, it doesn’t seem like it’s going to run once and then delete itself like other stealthy info-stealers,” Gutierrez said.
“Perhaps to avoid triggering behavioral detections, this malware also does not create persistence methods. Instead, it relies on the Excel macro to create persistence through a scheduled task.”