New Stealthy Backdoor Saitama: The Latest Weapon in Iranian Cyber Espionage Campaign

Researchers from Malwarebytes and Fortinet FortiGuard Labs have discovered a new spear-phishing campaign that has targeted Jordan's foreign ministry, deploying a stealthy backdoor named Saitama. The campaign has been attributed to Iranian cyber espionage threat actor APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy. The group is known for its targeted phishing attacks against the telecom, government, defense, oil, and financial sectors in the Middle East and North Africa.

The phishing message contained a weaponized Microsoft Excel document, which upon opening prompted victims to enable macros and execute a malicious Visual Basic Application (VBA) macro. This macro then dropped the malware payload, establishing persistence by adding a scheduled task that repeated every four hours. Saitama leverages the DNS protocol for its command-and-control (C2) communications to disguise its traffic and employs a "finite-state machine" approach to executing commands received from the C2 server.

In the final stage, the results of the command execution are sent back to the C2 server in the form of a DNS request, with the exfiltrated data built into the request. According to Fred Gutierrez, a researcher at Fortinet, this malware does not delete itself and relies on the Excel macro to create persistence.

This latest discovery highlights the growing threat of Iranian cyber espionage and the sophisticated tactics being employed by APT34. Earlier this February, ESET tied the group's long-run intelligence-gathering operation against diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates as a testament to their persistence and determination.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more interesting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!