Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Nazar: Old Iran-Linked APT Operation Monitored by NSA

A security researcher says he has uncovered an advanced persistent threat (APT) operation that started over a decade ago and which is referenced in the collection of National Security Agency (NSA) hacking tools that the Shadow Brokers made public in 2017.

A security researcher says he has uncovered an advanced persistent threat (APT) operation that started over a decade ago and which is referenced in the collection of National Security Agency (NSA) hacking tools that the Shadow Brokers made public in 2017.

The campaign, which was previously attributed to Chinese threat actor Emissary Panda, which is also referred to as APT27, LuckyMouse, BRONZE UNION, and Threat Group 3390, is referenced in one of the files from the Shadow Brokers dump as SIG37.

According to Juan Andres Guerrero-Saade, a security researcher who previously worked for Kaspersky and Google, SIG37 in fact points to a previously unidentified cluster of activity that might be going back as far as 2008. He has not been able to link this activity to any known threat group.

The researcher, who refers to the operation as ‘Nazar’, based on “debug paths left alongside Farsi resources in some of the malware droppers,” believes that the activity was centered around the 2010-2013 timeframe, based on submission times in VirusTotal.

While the scope of the operation is unclear — given the lack of access to victimology or command and control (C&C) sinkholing — three malware samples were exclusively encountered on Iranian machines, and Nazar subcomponents were submitted to VirusTotal from Iran, Guerrero-Saade says.

The researcher revealed in a presentation at the OPCDE cybersecurity conference that based on the available evidence this could be an operation conducted by Iran-based hackers against entities in Iran.

“Somehow, this operation found its way onto the NSA’s radar pre-2013,” Guerrero-Saade wrote in a blog post on Nazar. “As far as I can tell, it’s eluded specific coverage from the security industry. A possible scenario to account for the disparate visibility between the NSA and Western researchers when it comes to this cluster of activity is that these samples were exclusively encountered on Iranian boxes overlapping with EQGRP implants.”

Nazar uses a modular toolkit, with a main dropper designed to silently register multiple DLLs as OLE controls in the Windows registry via ‘regsvr32.exe’. An orchestrator is registered as a service for persistence, disguised as ‘svchost.exe’.

Advertisement. Scroll to continue reading.

The droppers are built with the defunct Chilkat software, and ‘Zip2Secure’ is used to create self-extracting executables. Subcomponent DLLs feature both commonly-used resources and seemingly custom libraries.

The malware leverages libraries to implement screen grabbing, microphone recording, and keylogging features, while two custom resources, which are treated as type libraries and registered as OLE controls, can enumerate attached drives, traverse folder structures, and handle some C&C functionality.

A kernel driver is used to sniff packets from the victim machine’s interfaces and parse them for specific strings, but the researcher says he could not identify what it is parsing.

“SIG37 has proven a rewarding mystery, unearthing a previously undiscovered subset of activity worthy of our attention. Apart from several places where more skilled reverse engineers can contribute to better understanding the samples already discovered, there’s an opportunity for threat hunters with access to diverse data sets and systems to figure out just how big this iceberg really is,” Guerrero-Saade concludes.

Related: NSA Used Simple Tools to Detect Other State Actors on Hacked Devices

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...