• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
    • Malware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
  • ChatGPT
    • Does ChatGPT Save Data?
AskCyber Home » News » Malware » Iranian Hackers Target LinkedIn Users with Malware Attack

Iranian Hackers Target LinkedIn Users with Malware Attack

2019-07-22 by Michelle Dvorak

Iranian Hacker Group APT34 Target LinkedIn Users with Three New Malware

Iranian hackers have launched a new malware attack. The cyber attack is initiated from social networking site, LinkedIn, and begins with an invitation to connect online. When the recipient accepts the LinkedIn connection, the hacker then attempts to trick the user into downloading malicious files. The malware attack was discovered in June by cyber security research firm FireEye. The cyber attack is being carried out by Advanced Persistent Threat Group APT34 which is an Iranian state sponsored hacking organization.

In this LinkedIn malware attack an invitation to connect is sent via LinkedIn’s platform. The profile that initiates the connection states the LinkedIn user is member of Cambridge University. I received one of these invitations (below). Depending on their user settings, victims may also receive the connection invitation as an email. Masquerading as a member of Cambridge University the hacker sends a very business looking message in an attempt to get the recipient to open malicious documents.

Hacker LInkedIn Connection Malware
Hacker LInkedIn Connection Malware

Iranian Hacking Skills Evolve

The FireEye post stated that, “The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.” This attack indicates Iran has advanced by added three new malwares to thier hacking tools. After a victim accepts the LinkedIn connection, the hacker sends a private message asking the target to check the accuracy of a supposed business file. In the sample contained by FireEye, the attachment is a malicious Microsoft Excel spreadsheet (seen in the LinkedIn screenshot from FireEye). The Excel spreadsheet drops a MS Word document located in C:\Users\\.templates which is really and executable files. The executable file creates scheduled tasks and collects data on the infected machine.

Heimdel Malware Protection
Heimdel Malware Protection

Three malwares are used in this cyber attack. The goal appears to be to collect infected system information, upload files and to download more malware.

  • VALUEVAULT allows hackers to extract and view the credentials stored in the Windows Vault. It also extracts browser history to match web browser login credentials with websites
  • LONGWATCH malware is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder
  • TONEDEAF is a new malware that establishes a backdoor used to communicate hacked data using HTTP or DNS

A variant of PICKPOCKET malware was also identified. PICKPOCKET is a browser credential-theft tool.

APT34 LinkedIn Message FireEye
APT34 LinkedIn Message FireEye

What is an APT Group?

An Advanced Persistent Threat Group (APT) is an organized group of hackers many of which are under the direction of a government agency. They are often given other names by cyber security researchers like Fancy Bear and Refined Kitten. APT34 is also called Oilrig and HelixKitten. Many APT groups conduct cyber espionage on behalf of their sponsoring organizations, steal technology, and money to help pay for other activities. APT groups target large corporations and other governments. They tend to proceed with a “low and slow” strategy rather than fast, brute force attacks. This approach allows their attacks to go undetected for years. APT33 is another one of Iran’s hacking groups.

Who is APT34?

APT34 is an Iranian state sponsored hacking group active since at least 2014. The hacking group focuses on data collection and attacks targets in the Middle East focusing on the financial sector, energy, utilities, oil and gas industries as well as government entities. However, with recent tensions between the United States and Iran and Britain and Iran, it is expected that APT34 cyber attacks against the US and European targets will increase. Recently the United States and Iran traded a volley of hacking attempts. The US intended to disable Iranian military missile guidance systems.

What is Malware?

Malware is any unwanted computer code, app, or file that is downloaded to a laptop, router, smartphone, or other internet device. Malware has a malicious intent and can be used for anything from downloading more malware, to spying on the activities of the device, transmitting data about the device’s owner, and stealing banking credentials or credit card numbers. Malware can infect an electronic device without the owner’s knowledge. Many times, malware is delivered via a phishing email and social engineering is often used as part of the initial attack vector.

How do I Protect Myself Against Malware?

Decline APT34’s LinkedIn invitation to join their professional network. Do not accept suspicious or incomplete looking profiles as connections.

I did receive a suspicious looking LinkedIn connection (above) from someone who supposedly worked at Cambridge University. I did not accept it because it seemed sketchy because of a person working for a University in Boston stating their location is New York. Although remote work is possible, it warranted further scrutiny of their full profile. Their user profile was not complete and so I rejected it. Whne I checked back to write this post, the profile was unavailable.

Filed Under: Malware Tagged With: APT34, Iran

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

Categories

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Security Marketing Manager – Remote

Sr. Associate, Cybersecurity Architect – Pfizer

Strategic Customer Success Manager – Cybersecurity – Opportunity for Working Remotely

Top 20 Passwords Leaked on Dark Web

ISU Cybersecurity Leader Job Opening

Cyber Security News

Top 20 Passwords Leaked on Dark Web

… [Read More...] about Top 20 Passwords Leaked on Dark Web

Apple Warns of Actively Exploited Zero-Day Flaw

… [Read More...] about Apple Warns of Actively Exploited Zero-Day Flaw

IRS Stops Facial Recognition System for Online Access

… [Read More...] about IRS Stops Facial Recognition System for Online Access

National Cybersecurity Alliance Announces Data Privacy Week

… [Read More...] about National Cybersecurity Alliance Announces Data Privacy Week

More Cyber Security News

Tags

amazon Android Apple bitcoin China chrome CISA credit card DarkSide DHS DOJ Equifax Europe Facebook facial recognition FBI Firefox FTC games GDPR Google Government hacker identity theft India iPhone Iran IRS LinkedIn Microsoft North Korea PayPal phishing phishing email ransomware REvil Russia smartphone T-Mobile TikTok tutorial VPN WhatsApp WiFi Windows

Government

CBP Looks to Access Airline Passenger Data

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2023 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version