Malwarebytes reports that APT34 also known as the Helix kitten is on a destructive path and has released a new back door called saitema on victims this time at the Jordanian foreign Ministry!!!
A malicious Excel document was discovered to place a new saitema backdoor on victims in the form of a deadly macro embedded in an Excel document. Helix kitten attack victims by sending a phishing e-mail to Jordanian ministry staff entitled "Receipt of Confirmation" with an Excel document attached. Sender of the malicious emails also pretends to be a Jordanian government official with a Jordanian logo on his email.
Then when Excel document is opened an eNotif function is called which runs in the background and identifies the victim and their IP address as well as when malware commands are executed. eNotif also checks to see if mouse is connected to the victim's PC, and in that case, 'Update.exe', 'Update.exe.config' and 'Microsoft.Exchange.WenServices.dll' are created in the %APPDATA%/MicrosoftUpdate directory that opens the back for saitema :(
Saitema backdoor is written in .NET that abuses the DNS protocol for its command and control communications Helix kitten uses techniques such as compression and long random sleep times to disguise malicious traffic in between legitimate traffic. backdoor is design as a finite state machine which means machine will change behavior depending on command sent which can be BEGIN END ALIVE SLEEP RECIEVE DO and SEND.
Malicious excel document and payload with victims targeted means that Malwarebytes say that APT34 aka Helix Kitten did this disgusting act against Jordan. Iranian regime will never stop interfering with others!! Please friends, never open excel documents that look deadly!!
