Threat Research

APT34 targets Jordan Government using new Saitama backdoor

Securonix

APT34 (OilRig/COBALT GYPSY) targeted Jordan’s government with a new backdoor called Saitama delivered via a malicious Excel macro. The backdoor uses DNS-based C2, a finite-state machine, and various anti-analysis and persistence techniques, indicating a targeted operation against the Jordanian government and related sectors. #APT34 #Saitama #Jordan #OilRig #COBALTGYPSY

Keypoints

  • The attack began with a spearphishing email sent to a Jordanian government official containing an Excel attachment named “Confirmation Receive Document.xls” that includes a malicious macro.
  • Enabling the macro replaces the document’s image and executes a multistep macro flow, including DNS-based notifications and persistence mechanisms.
  • The macro creates a persistent scheduled task named MicrosoftUpdate to launch the backdoor binary (Update.exe) and related components.
  • The dropped payload is Saitama, a .NET backdoor that uses a finite-state machine to control its behavior and communicates with C2 servers via DNS, aiming to blend in with normal traffic.
  • The backdoor uses Base32 encoding for data and subdomain generation, and employs compression and long sleep times to mask traffic patterns.
  • Commands available to the operator include a predefined Base64-listed set of PowerShell and CMD commands for discovery, system information, and network enumeration.

MITRE Techniques

  • [T1071.004] DNS – The Saitama backdoor abuses the DNS protocol for its command and control communications. ‘Saitama backdoor abuses the DNS protocol for its command and control communications.’
  • [T1059.001] PowerShell – The macro executes commands via PowerShell (e.g., Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress) referenced in the predefined command list.
  • [T1059.003] Windows Command Shell – The macro also executes CMD commands like whoami and net user from its predefined set.
  • [T1053.005] Scheduled Task – The malware defines and registers a scheduled task named MicrosoftUpdate to achieve persistence. ‘The name of the scheduled task is MicrosoftUpdate and is used to make update.exe persistent.’
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses compression techniques to disguise traffic and data flows between the backdoor and C2.
  • [T1132] Data Encoding – The backdoor uses Base32 encoding for sending data to the servers and for building subdomains. ‘Base32 encoding that is similar to what was reported by Mandiant.’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs via DNS subdomains, with data split into buffers sent across multiple DNS requests. ‘The data … split this data in different buffers… every DNS request is capable of receiving 4 bytes.’
  • [T1566.001] Phishing: Spearphishing Attachment – The attack uses a malicious email with a signed coat of arms from the Government of Jordan to deliver the Excel macro. ‘The malicious email was sent … with an Excel file called “Confirmation Receive Document.xls”.’
  • [T1059.005] Command and Scripting Interpreter – The backdoor’s predefined command list includes PowerShell and CMD commands used during the DO/Receive phases.

Indicators of Compromise

  • [File name] Confirmation Receive Document.xls – Maldoc used in spearphishing email
  • [File hash] Maldoc – 26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b
  • [File hash] Saitama backdoor – e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d
  • [Domain] C2 domains – uber-asia.com, asiaworldremit.com, joexpediagroup.com

Read more: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/