New Marlin Backdoor used by Iranian Hackers Using in 'Out to Sea' Espionage Campaign
Reading Time: 2 minutes

The New Marlin backdoor is being used by Iranian hackers as part of a long-running espionage campaign that started in April 2018. The attacks are codenamed “Out to Sea” — to a threat actor called OilRig (aka APT34), and also connected with activities to a second Iranian group tracked under the name Lyceum (Hexane aka SiameseKitten), according to ESET. 

ESET mentioned in a post, “Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.”

The hacking group has been active since at least 2014, targets being the Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications. The threat actors attacked a Lebanese entity in April 2021, with an implant called SideTwist. Lyceum has also carried out various campaigns earlier to singling out IT companies in Israel, Morocco, Tunisia, and Saudi Arabia.

The Lyceum infection chains have evolved to drop multiple backdoors since the campaign came to light in 2018, starting off with DanBot and transitioning to Shark and Milan in 2021. Later attacks were discovered in August 2021 leveraging a new data collection malware called Marlin.

They moved away from the traditional OilRig TTPs, which involved the use of DNS and HTTPS for command-and-control (C&C) communications. Marlin makes use of Microsoft’s OneDrive API for its C2 operations.

According to ESET, spear phishing, remote access, and administration software like ITbrain and TeamViewer were to gain initial access to the network. There were similarities in the tools and tactics between OilRig’s backdoors and that of Lyceum as “too numerous and specific.”

They further added, “The ToneDeaf backdoor primarily communicated with its C&C over HTTP/S but included a secondary method, DNS tunneling, which does not function properly,” the researchers said. “Shark has similar symptoms, where its primary communication method uses DNS but has a non-functional HTTP/S secondary option.”

Earlier in July 2019, the APT34 actor targeted a broad range of industries operating in the Middle East using ToneDeaf.  A malware family that supports collecting system information, uploading and downloading of files, and arbitrary shell command execution.

The findings of ESET researchers also suggest the overlapping use of DNS as a C&C communication channel and also the employment of HTTP/S as a secondary communication method. The bad actors also used multiple folders in the backdoor’s working directory for uploading and downloading files from the C&C server.

Related Articles:
Russian Hackers Used COVID-19 Lures to Target European Diplomats
NimbleMamba – Molerats Hackers deploy New Malware
New York Couple Arrested For Allegedly Conspiring to Launder Billions in Stolen Cryptocurrency