APT34 has been spotted in a malware campaign targeting customers and employees of a company that works closely with U.S. federal agencies, and state and local governments.

Iran-linked threat actor APT34 has been observed sending targeted, malicious email attachments to customers and employees of a company that works closely with U.S. government agencies.

The company in question is U.S.-based Westat, a professional services company that provides research services to U.S. state and local governments, as well as more than 80 federal agencies. Researchers at Intezer uncovered the campaign after detecting a malicious file in January (called survey.xls), purporting to be an employee satisfaction survey for Westat employees and customers.

The emails contain Excel spreadsheets that, once downloaded, at first appear to be blank, according to the analysis Only after victims enable macros on the spreadsheet does the survey appear – asking whether victims are satisfied by career-development opportunities and job-related training, for instance – but in the background, unbeknownst to them, malicious Visual Basic for Applications (VBA) programming code for macro is being executed.

This code unpacks a .ZIP file into a temporary folder, and then extracts and installs an executable file, which is run five minutes after it infects the system, Intezer said. This payload is the TONEDEAF malware, which is a backdoor capable of system information collection, file uploads and downloads, and arbitrary shell command execution.

“Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo,” according to a Westat statement, published Thursday. “This file was not created by, hosted by or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo. Our cybersecurity team is working with Intezer and others to fully understand the nature of this report. We will continue to monitor the situation and respond accordingly.”

APT34 Activity

Researchers have linked this campaign to Iran-based APT34, a.k.a. OilRig or Greenbug, which specializes in cyber-espionage activity, and is known for attacks targeting a variety of organizations operating in the Middle East, including financial, energy and government entities. They said this latest campaign shows APT34 using a modified malware variant that is more advanced than previous efforts and which has new stealthy tactics.

“The last APT34 operation was exposed only a few months ago by FireEye, and judging by our current findings we can confidently state that the group has since evolved its operations,” said Intezer researchers Paul Litvak and Michael Kajilolti, in a Thursday analysis. “The technical analysis of the new malware variants reveals this Iranian government-backed group has invested substantial efforts into upgrading its toolset in an attempt to evade future detection.”

The downloaded executable file is actually a new version of the TONEDEAF malware, a backdoor commonly used by APT34 as a custom tool. It communicates with its command-and-control (C2) server via HTTP in order to receive and execute commands.

Modified Malware

TONEDEAF 2.0, as researchers call it, serves the same purpose as the original malware, with the same general flow and functionality. However, its code has been significantly changed, and it comes with evolved anti-detection capabilities.

“In contrast to the original TONEDEAF, TONEDEAF 2.0 contains solely arbitrary shell execution capabilities, and doesn’t support any predefined commands. It’s also more stealthy and contains new tricks such as dynamic importing, string decoding and a victim deception method,” researchers said.

In attempting to be more stealthy than its predecessor, TONEDEAF 2.0 hides many of its imported API calls, which are the commands in the code that tell systems to perform certain operations. The API call names and the libraries (DLLs) that contain them are instead stored as encoded strings, which are decoded and resolved on-demand during runtime.

TONEDEAF 2.0 also comes with a revamped C2 communication protocol – although it still has some similarities to its predecessor, such as the usage of three-digit identifiers for both the victim and the server, researchers said.

The ongoing attack comes on the heels of conflict between the U.S. and Iran, which saw a peak after U.S. drones on Jan. 3 killed Qassem Soleimani, an Iranian general with the Islamic Revolutionary Guard Corps who was highly-esteemed in Iran. On the heels of Soleimani’s killing, Iranian leaders vowed retaliation. Earlier in January, a U.S. government website was vandalized by hackers who posted images of a bloodied President Donald Trump being punched in the face and pro-Iran messages.