Security researchers say they have uncovered a phishing campaign, likely organized by the Iran-backed APT34 group, that sought to infect Westat employees with malware.
U.S. companies and institutions are the usual targets of APT34, and hackers are always looking to compromise prominent organizations, usually via phishing campaigns. In this case, Westat was the intended target because the company focuses on research for agencies of the U.S. government, as well as for businesses, foundations, and state and local governments.
The phishing campaign didn’t follow a shotgun approach, but was directly aimed at Westat employees. The phishing emails contained a ‘survey.xls’ file, that, of course, would make use of macros, if they were enabled by default. Even with the setting at OFF, users would still be asked if they want to allow macros to view the file. Once the file was opened, a new version of the TONEDEAF malware was deployed.
“Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo,” explained the company. “This file was not created by, hosted by, or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo.”
“Our cybersecurity team is working with Intezer and others to fully understand the nature of this report. We will continue to monitor the situation and respond accordingly.”
From what the security researchers found, it seems that the goal of the campaign was to deliver TONEDEAF, a backdoor that allows operators from a Command and Control center to collect data, to run commands, and even to upload files, and to deploy the VALUEVAULT malware, which is a browser credential tool.
The APT34 efforts were thwarted, for now, but they’re likely trying numerous avenues at the same time to increase their chances.