Trend Micro analyzes a December 2022 campaign attributed to APT34, deploying a new .NET backdoor (MrPerfectInstaller) to steal credentials and exfiltrate data via compromised mailbox accounts. The attackers leverage Microsoft Exchange Web Services to relay stolen data as email attachments from government mail servers in the Middle East. Hashtags: #APT34 #REDCAP #MrPerfectInstaller #Karkoff #Saitama #ExchangeWebServices #MiddleEast
Keypoints
- December 2022 campaign linked to APT34 uses a new .NET backdoor to target Middle East organizations.
- The dropper, MrPerfectInstaller, drops four components including a password-filter DLL and a main exfiltration module.
- The dropper registers a password filter via a registry modification to harvest plaintext passwords)
- The attackers exfiltrate data by logging into Exchange Server via EWS and sending stolen files as email attachments.
- The operation enumerates target files and uses a config file in ProgramData to guide exfiltration (Server, Target, Domain).
- IOCs include specific file hashes, dropped filenames, and compromised email addresses used for data relays.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information β The dropper stores components as Base64 buffers inside the main dropper. βThe four Base64 encoded buffers inside the main dropper.β
- [T1112] Modify Registry β The dropper adds a registry key to implement the password filter. βHKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa
Notification Packages = scecli, psgfilterβ - [T1552.002] Credentials in Registry β The password filter intercepts plaintext passwords and can harvest them from compromised machines. βThe malicious actor can capture and harvest every password from the compromised machines even after the modification.β
- [T1071.002] Application Layer Protocol: Mail β Data exfiltration via Exchange Web Services (EWS): βThe main backdoor function β¦ uses it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords.β
Indicators of Compromise
- [SHA256] β 5ed7ebc339af6ca6a5d1b9b45db6b3ae00232d9ccd80d5fcadf7680320bd4e6b β Context: Dropped file DevicesSrv.exe; detected as Backdoor.MSIL.REDCAP.A
- [SHA256] β 827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e β Context: Dropped file psgfilter.dll; detected as Trojan.Win64.REDCAP.AF
- [File name] β DevicesSrv.exe β Context: Main backdoor component used for exfiltration
- [File name] β psgfilter.dll β Context: Password filter DLL registered in LSA
- [Emails] β Jaqueline[.]Herrera@proton[.]me, Ciara[.]Stoneburner@proton[.]me, marsha[.]fischer556@gmail[.]com, Kathryn[.]Firkins@proton[.]me, Susan[.]potts454@proton[.]me, Earl[.]butler945@gmail[.]com β Context: Used as targets for exfiltration relay
- [Malware] β Backdoor.MSIL.REDCAP.A, Trojan.Win64.REDCAP.AF, Trojan.MSIL.REDCAP.AD β Context: Detections cited in the IOC table
Read more: https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html