Connect with us

Hi, what are you looking for?



Nazar: Old Iran-Linked APT Operation Monitored by NSA

A security researcher says he has uncovered an advanced persistent threat (APT) operation that started over a decade ago and which is referenced in the collection of National Security Agency (NSA) hacking tools that the Shadow Brokers made public in 2017.

A security researcher says he has uncovered an advanced persistent threat (APT) operation that started over a decade ago and which is referenced in the collection of National Security Agency (NSA) hacking tools that the Shadow Brokers made public in 2017.

The campaign, which was previously attributed to Chinese threat actor Emissary Panda, which is also referred to as APT27, LuckyMouse, BRONZE UNION, and Threat Group 3390, is referenced in one of the files from the Shadow Brokers dump as SIG37.

According to Juan Andres Guerrero-Saade, a security researcher who previously worked for Kaspersky and Google, SIG37 in fact points to a previously unidentified cluster of activity that might be going back as far as 2008. He has not been able to link this activity to any known threat group.

The researcher, who refers to the operation as ‘Nazar’, based on “debug paths left alongside Farsi resources in some of the malware droppers,” believes that the activity was centered around the 2010-2013 timeframe, based on submission times in VirusTotal.

While the scope of the operation is unclear — given the lack of access to victimology or command and control (C&C) sinkholing — three malware samples were exclusively encountered on Iranian machines, and Nazar subcomponents were submitted to VirusTotal from Iran, Guerrero-Saade says.

The researcher revealed in a presentation at the OPCDE cybersecurity conference that based on the available evidence this could be an operation conducted by Iran-based hackers against entities in Iran.

“Somehow, this operation found its way onto the NSA’s radar pre-2013,” Guerrero-Saade wrote in a blog post on Nazar. “As far as I can tell, it’s eluded specific coverage from the security industry. A possible scenario to account for the disparate visibility between the NSA and Western researchers when it comes to this cluster of activity is that these samples were exclusively encountered on Iranian boxes overlapping with EQGRP implants.”

Advertisement. Scroll to continue reading.

Nazar uses a modular toolkit, with a main dropper designed to silently register multiple DLLs as OLE controls in the Windows registry via ‘regsvr32.exe’. An orchestrator is registered as a service for persistence, disguised as ‘svchost.exe’.

The droppers are built with the defunct Chilkat software, and ‘Zip2Secure’ is used to create self-extracting executables. Subcomponent DLLs feature both commonly-used resources and seemingly custom libraries.

The malware leverages libraries to implement screen grabbing, microphone recording, and keylogging features, while two custom resources, which are treated as type libraries and registered as OLE controls, can enumerate attached drives, traverse folder structures, and handle some C&C functionality.

A kernel driver is used to sniff packets from the victim machine’s interfaces and parse them for specific strings, but the researcher says he could not identify what it is parsing.

“SIG37 has proven a rewarding mystery, unearthing a previously undiscovered subset of activity worthy of our attention. Apart from several places where more skilled reverse engineers can contribute to better understanding the samples already discovered, there’s an opportunity for threat hunters with access to diverse data sets and systems to figure out just how big this iceberg really is,” Guerrero-Saade concludes.

Related: NSA Used Simple Tools to Detect Other State Actors on Hacked Devices

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...