Iranian Threat Group Targets LinkedIn Users (Jul 23, 2019)
The Iranian Advanced Persistent Threat (APT) group “APT34,” (also known as OilRig), has once again been found to be conducting malicious activity on the social networking site, LinkedIn, according to FireEye researchers. The threat actors created LinkedIn profiles pretending to a member of Cambridge University to distribute malicious documents. These malicious documents were found to be infecting users with APT34’s custom credential-stealing malware “PICKPOCKET.” Researchers also identified three new malware families the group has added to their arsenal dubbed “LONGWATCH” (keylogger), “ToneDeaf” (backdoor), and “VALUEVAULT” (credential stealer).
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing messages and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.