The Evolution of Iranian APT Threats: Uncovering the Marlin Malware Backdoor

A recent report from Slovak cybersecurity company ESET sheds light on the ongoing activities of advanced persistent threat (APT) groups with ties to Iran. Dubbed "Out to Sea," the campaign is the work of two distinct APT actors, OilRig (also known as APT34) and Lyceum (Hexane, SiameseKitten), who have been targeting diplomatic organizations, technology companies, and medical organizations in the Middle East since April 2018.

As part of their long-running espionage campaign, the APT groups have refreshed their malware toolset to include a new backdoor known as Marlin. This new addition to the APT's arsenal marks a significant departure from their traditional tactics, as Marlin utilizes Microsoft's OneDrive API for its command-and-control operations, instead of the usual DNS and HTTPS methods.

ToneDeaf, which supports collecting system information, uploading and downloading of files, and arbitrary shell command execution, is a malware family that was deployed by the APT34 actor targeting a broad range of industries operating in the Middle East in July 2019.

The APT groups have been active since at least 2014, targeting Middle Eastern governments and a variety of business sectors, including chemicals, energy, finance, and telecommunications. The Lyceum group has evolved to deploy multiple backdoors, including DanBot, Shark, and Milan, in addition to Marlin.

According to ESET, the attackers initially gained access to the network through spear-phishing and remote access and administration software such as ITbrain and TeamViewer. The researchers noted similarities between the tools and tactics of OilRig and Lyceum, pointing out the overlapping use of DNS as a command-and-control channel and the use of multiple folders in the backdoor's working directory for file transfer.

In conclusion, the evolution of APT threats from Iran should serve as a warning to organizations operating in the Middle East. It is important to stay vigilant and implement robust cybersecurity measures to protect against these advanced and persistent threats.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!