Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Target U.S. Research Organization in Ongoing Campaign

A threat group linked to Iran has targeted a U.S.-based research company whose services are used by businesses and government organizations, cybersecurity firm Intezer reveals.

A threat group linked to Iran has targeted a U.S.-based research company whose services are used by businesses and government organizations, cybersecurity firm Intezer reveals.

The attack appears to be the work of cyber-espionage group APT34 (also known as OilRig or Helix Kitten), which has been active since at least 2014, targeting government agencies, as well as financial services, energy and utility, telecommunications, and oil and gas companies worldwide.

The newly observed activity employs techniques and tools similar to an operation documented in July 2019, thus suggesting that APT34 is behind it.

Specifically, Intezer’s security researchers discovered a phishing document masquerading as an employee satisfaction survey tailored to Westat employees. A research company, Westat works with U.S. government agencies, businesses, foundations, and state and local governments.

In an email conversation with Intezer, SecurityWeek has learned that the threat actor issued a certificate for its C&C server only last month. With the malware’s C&C domain (manygoodnews[.]com) still operational, the researchers believe the attack is likely ongoing.

The identified phishing document appears as a blank spreadsheet when opened, enticing the intended victim into enabling macros. Once that happens, malicious VBA code installs an updated version of the TONEDEAF malware and achieves persistence.

To receive and execute commands, the TONEDEAF backdoor, which is a custom APT34 tool, communicates with its C&C via HTTP. The new version features a revamped communication protocol, comes with solely arbitrary shell execution capabilities and does not support pre-defined commands.

TONEDEAF 2.0 features largely modified code compared to the previous version, but the general flow and functionality are similar. It is stealthier and it includes dynamic importing, string decoding, and a new method to deceive its victims into believing it is a legitimate, broken app — if executed without a specific argument, it displays a blank GUI window.

HTTP is still used for C&C communication, but with custom encoding and handshake mechanisms, where messages always contain a specific identifier. The researchers believe that the C&C is filtering targets, given that their requests would always receive a 403 Forbidden error code.

“It’s possible that the C2 is filtering the targets since this backdoor is part of a targeted operation and our client_id parameter does not match that of one of the intended victims,” Intezer says.

The security researchers believe that the operation also employs the VALUEVAULT implant, a browser credential theft tool built in Golang. Within minutes apart, the same user (from Lebanon) uploaded to VirusTotal versions of the phishing document leading to VALUEVAULT and TONEDEAF 2.0.

“This perhaps indicates that these malware were delivered together,” the researchers say.

The researchers also discovered that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.

SecurityWeek contacted Westat for comment but received no reply at the time of publication.

Update. Responding to a SecurityWeek inquiry, Westat said that none of its employees has received phishing emails carrying the malicious document described in Intezer’s report. The company also says that it has found no evidence of compromise.

“Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo. This file was not created by, hosted by, or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo. Our cybersecurity team is working with Intezer and others to fully understand the nature of this isolated report. We will continue to monitor the situation and respond accordingly,” a Westat spokesperson said.

Related: Iranian Hackers Use New Malware in Recent Attacks

Related: Iranian Hackers Heavily Reliant on DNS Tunneling

Related: Source Code of Iran-Linked Hacking Tools Posted Online

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.