A noted advanced persistent threat (APT) group linked to Iran has updated its malware arsenal, introducing a new backdoor known as Marlin. This marks an ongoing espionage campaign that has been active since April 2018.
The Slovak cybersecurity firm ESET has attributed these attacks, under the codename “Out to Sea”, to the threat group identified as OilRig (also referred to as APT34). Furthermore, ESET has established connections between OilRig and another Iranian entity, known as Lyceum (previously identified as Hexane or SiameseKitten).
The victims of this espionage effort include diplomatic organizations, technology firms, and medical institutions located in Israel, Tunisia, and the United Arab Emirates, as outlined in ESET’s T3 2021 Threat Report. The group, operational since at least 2014, frequently targets Middle Eastern governmental entities and various sectors, including chemicals, energy, finance, and telecommunications. Notably, in April 2021, OilRig targeted a Lebanese organization using malware known as SideTwist, while previous incursions attributed to Lyceum focused on IT firms in Israel, Morocco, Tunisia, and Saudi Arabia.
The evolution of the techniques employed by the Lyceum group is particularly noteworthy; since the campaign’s inception in 2018, they have introduced multiple backdoors. Initially starting with DanBot, they transitioned through Shark and Milan in 2021, with attacks detected in August leveraging the newly introduced Marlin malware.
In a notable shift from historical OilRig practices, which typically utilized DNS and HTTPS for command-and-control (C2) operations, Marlin employs Microsoft’s OneDrive API for its C2 communications. ESET reported that initial access often stemmed from spear-phishing attempts, as well as the use of remote access tools like ITbrain and TeamViewer. The similarities in the tools and methodologies between OilRig’s and Lyceum’s backdoor techniques were deemed “too numerous and specific” to disregard.
The previously deployed ToneDeaf backdoor primarily used HTTP/S for its C2 communication, with a non-functional secondary DNS tunneling method. Researchers noted similar indicators in Shark, where DNS served as the primary communication vector, but HTTP/S was ineffective as a secondary option. ToneDeaf was first utilized in July 2019, targeting various industries across the Middle East, allowing for system information collection, file transfers, and the execution of arbitrary shell commands.
Research findings also highlighted the overlapping use of DNS and HTTP/S as C2 communication channels and the implementation of multiple directories for uploading and downloading files within the malware’s operational framework.
