Sponsored By

Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Iran-Linked APT34 Spy Campaign Targets Saudis

The Menorah malware can upload and download files, as well as execute shell commands.

Dark Reading Staff

October 2, 2023

1 Min Read
Burning hanukkah candles in a menorah on black background
Source: Zee via Alamy Stock Photo

A phishing campaign which drops cyber espionage malware is taking aim at users in the Middle East.

The campaign is mounted by the infamous advanced persistent threat known as APT34 (aka OilRig, Helix Kitten, Cobalt Gypsy), and employs a custom tool that researchers have dubbed "Menorah." This malware is capable of identifying the target's machine, reading and uploading files from the machine, and downloading other files or malware.

According to research by Trend Micro, the document used in the attack contains pricing information in Saudi Riyal, which could indicate at least one targeted victim is inside Saudi Arabia.

Linked to Iran, APT34 typically focuses on collecting sensitive intelligence, and has been involved in high-profile cyberattacks against a diverse range of targets in the Middle East, including government agencies, critical infrastructure, telecommunications, and key regional entities.

Trend Micro's researchers said that a changing of tactics and tools is typical of APT groups and demonstrates their resources and varied skills. Being able to create new pieces of malware and tools allows such groups to continuously deploy new techniques "to ensure success in intrusions, stealth, and cyberespionage."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights