Security researchers say they have uncovered a phishing
campaign, likely organized by the Iran-backed APT34 group, that sought to
infect Westat employees with malware.
U.S. companies and institutions are the usual targets of
APT34, and hackers are always looking to compromise prominent organizations,
usually via phishing campaigns. In this case, Westat was the intended target
because the company focuses on research for agencies of the U.S. government, as
well as for businesses, foundations, and state and local governments.
The phishing campaign didn’t follow a shotgun approach, but
was directly aimed at Westat employees. The phishing emails contained a
‘survey.xls’ file, that, of course, would make use of macros, if they were
enabled by default. Even with the setting at OFF, users would still be asked if
they want to allow macros to view the file. Once the file was opened, a new
version of the TONEDEAF malware was deployed.
“Westat understands that in their effort to identify
threats and malware, Intezer has identified a malicious file that uses the
Westat name and logo,” explained
the company. “This file was not created by, hosted by, or sent from Westat, and
is likely the result of a bad actor stealing the Westat brand name and logo.”
“Our cybersecurity team is working with Intezer and
others to fully understand the nature of this report. We will continue to
monitor the situation and respond accordingly.”
From what the security researchers found, it seems that
the goal of the campaign was to deliver TONEDEAF, a backdoor that allows
operators from a Command and Control center to collect data, to run commands,
and even to upload files, and to deploy the VALUEVAULT malware, which is a
browser credential tool.
The APT34 efforts were thwarted, for now, but they’re
likely trying numerous avenues at the same time to increase their chances.