Irans APT34 Abuses MS Exchange to Spy on Gulf Govts

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).
APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). Its known to spy on
high-value targets in major industries
across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to
evade detection for long periods of time
.
Recently, Trend Micro has observed a
notable rise in APT34s espionage
and theft of sensitive information from mideast government agencies. These newer cases have featured a new backdoor, StealHook, which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.
Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.
One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a networks Domain Controller.
One of the most impressive feats weve observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks, notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an
APT34 espionage campaign against Iraqi government ministries
. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.
To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a high severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating wouldve been higher, but for the fact that it requires local access to a system, and isnt simple to exploit.
APT34s best trick, though, is its technique for abusing Windows password filters.
Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34s malicious filter will intercept it, in plaintext.
To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organizations Microsoft Exchange servers. Using the targeted organizations servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.
The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect, says a Trend Micro researcher, who chose to be anonymous for this story. It has been used for years in [APT34s] Karkoff backdoor, and most of the time it evades detection.
Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.
For some time now, the threat actor has fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails, the researcher says.
He adds that government agencies in particular often relate to one another closely, so the threat actor could
compromise this trust
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Irans APT34 Abuses MS Exchange to Spy on Gulf Govts