Iran-Linked APT34 Spy Campaign Targets Saudis

A phishing campaign which drops cyber espionage malware is taking aim at users in the Middle East.

The campaign is mounted by the infamous advanced persistent threat known as APT34 (aka OilRig, Helix Kitten, Cobalt Gypsy), and employs a custom tool that researchers have dubbed "Menorah." This malware is capable of identifying the target's machine, reading and uploading files from the machine, and downloading other files or malware.

According to research by Trend Micro, the document used in the attack contains pricing information in Saudi Riyal, which could indicate at least one targeted victim is inside Saudi Arabia.

Linked to Iran, APT34 typically focuses on collecting sensitive intelligence, and has been involved in high-profile cyberattacks against a diverse range of targets in the Middle East, including government agencies, critical infrastructure, telecommunications, and key regional entities.

Trend Micro's researchers said that a changing of tactics and tools is typical of APT groups and demonstrates their resources and varied skills. Being able to create new pieces of malware and tools allows such groups to continuously deploy new techniques "to ensure success in intrusions, stealth, and cyberespionage."