A recent phishing campaign by Iran-linked threat actor APT34 made use of a savvy approach: Asking victims to join their social network.
According to FireEye, the adversaries masqueraded as a Cambridge University lecturer, including setting up a LinkedIn page, in order to gain victims’ trust. From there the attackers asked their “friends” to open malicious documents.
APT34, a.k.a. OilRig or Greenbug, specializes in cyber-espionage activity, and is known for attacks targeting a variety of organizations operating in the Middle East, including financial, energy and government entities.
“They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs,” FireEye noted in a writeup on the campaign on Thursday. In the phishing effort, the non-public tools included three new malware families and featured a reappearance of Pickpocket, which is a malware exclusively observed in use by APT34, according to the firm.
The group was posing as a researcher from Cambridge, and was found to have added three new malware families to its spy arsenal.