In a recent discovery, cybersecurity firm Trend Micro identified a new strain of malware they attributed to the advanced persistent threat (APT) group APT34. The malware, dubbed “Menorah,” was uncovered during an investigation into a targeted phishing attack that took place in August. The attack involved the use of a malicious document, “MyCv.doc,” related to the Seychelles Licensing Authority, which contained pricing information in Saudi Riyal, indicating a potential target in Saudi Arabia.

APT34 group, known for its cyberespionage operations in the Middle East, has a history of targeting various organizations, including government agencies, critical infrastructure, and telecommunications. APT34 employs spear-phishing campaigns and advanced techniques to infiltrate and maintain access within targeted networks, making it a formidable cybersecurity challenge.

The attack chain of the macro found in the malicious document involves dropping a .NET-based payload into the <%ALLUSERSPROFILE%\Office365> directory and creating a scheduled task named “OneDriveStandaloneUpdater” for persistence. Menorah.exe is the name of the malicious payload dropped during execution and can identify the infected machine, reading and uploading files, and downloading additional files or malware.

Researchers at Trend Micro noted that the Menorah malware shares similarities with a previously documented APT34 tool called SideTwist. Both malware variants create a unique ID for the victim machine using the computer name and username. While the techniques employed in this sample may not be as sophisticated as previous APT34 attacks, the group’s ability to rapidly develop and deploy new malware and tools poses an ongoing threat.

One critical aspect of the Menorah malware is its ability to establish communication with a command and control (C2) server, although the specific server used in this attack was found to be inactive during analysis. The malware can execute commands received from the C2 server, list directories and files on the compromised system, and upload and download files as directed.

This discovery underscores the critical importance of having robust monitoring tools in place to track scheduled tasks for signs of malicious activity. Menorah’s utilization of a scheduled task for persistence underscores the necessity for ongoing vigilance in the face of cyberthreats. Additionally, it serves as a stark reminder of the need for individuals and organizations to exercise caution when handling documents, especially those with embedded macros, from untrusted sources.

Organizations are advised to remain vigilant and keep their employees informed about the various techniques attackers use to target systems and steal sensitive information. While APT34’s routines may be relatively straightforward, their adaptability and resources enable them to create new malware and tools, allowing them to persistently target organizations. Staying proactive in enhancing security measures and educating personnel is crucial to mitigating the risks posed by advanced threat actors like APT34.

In Summary: This article discusses the discovery of the Menorah malware, attributed to the advanced persistent threat group APT34, which was detected during a targeted phishing attack in August. We take a look at the malware’s capabilities, similarities to previous APT34 tools, and the importance of monitoring scheduled tasks for malicious activity, highlighting the ongoing cyberthreats faced by organizations. 

Why It Matters: Managed service providers (MSPs) and their clients should take note of this article as it sheds light on the evolving tactics of threat actors like APT34. Understanding these groups’ method of operations and adaptability, as well as the significant use of scheduled task monitoring is crucial for MSPs to bolster their cybersecurity strategies. Clients, in turn, need to stay informed about emerging threats to collaborate effectively with their MSPs in safeguarding their on-premises and cloud environments. The Menorah malware discovery underscores the need for proactive security measures and employee education, emphasizing the shared responsibility of MSPs and their clients in mitigating cyber-risks.

To stay up to date on all APG intel, follow them on Twitter and Reddit.