Analysis Summary

Researchers have recently identified signs of malicious infrastructure associated with APT34, also known as OilRig, a group suspected to be linked to Iranian state-sponsored cyber activities. This group is known for targeting sectors such as education, government, energy, telecommunications, and non-governmental organizations.

Although no active malware was detected, the setup of this infrastructure, including shared SSH keys, consistent HTTP decoy behavior on port 8080, and thematic domain patterns, provides critical insights for cybersecurity defenders. These patterns suggest meticulous pre-operational planning by the threat actors. For instance, the domain biam-iraq[.]org transitioned through various IP addresses over several months, indicating a deliberate staging process. Servers returned a static “404 Not Found” page titled “Document” on port 8080, a decoy response consistent with APT34-linked infrastructure noted in previous reports.

Additionally, unrelated .eu domains such as plenoryvantyx[.]eu and zyverantova[.]eu, hosted on the same network, posed as UK tech firms with fabricated branding. These sites featured generic content and stock imagery to appear legitimate. A notable indicator was the reuse of a single SSH fingerprint across multiple servers within a short timeframe, showcasing a shared provisioning routine.

Impact

• Cyber Espionage

Indicators of Compromise

Domain Name

• mail.biam-iraq.org
• biam-iraq.org
• plenoryvantyx.eu
• axoryvexity.eu
• valtorynexon.eu
• zyverantova.eu
• valtryventyx.eu

IP

• 38.180.140.30
• 38.180.18.189
• 38.180.18.18
• 38.180.18.173
• 38.180.18.249
• 38.180.18.253

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update and patch all systems and software to fix known vulnerabilities that APT34 might exploit.
• Implement multi-factor authentication (MFA) for all user accounts to add an extra layer of security against unauthorized access.
• Monitor network traffic for unusual activities, such as unexpected data transfers or connections to unfamiliar IP addresses.
• Use endpoint detection and response (EDR) tools to identify and respond to threats on individual devices.
• Conduct regular security awareness training for employees to recognize phishing attempts and other social engineering tactics.
• Limit user privileges to only what is necessary for their roles, reducing the potential impact of compromised accounts.
• Maintain up-to-date threat intelligence feeds to stay informed about APT34's latest tactics, techniques, and procedures.
• Develop and regularly test an incident response plan to ensure quick action in the event of a security breach.
• Utilize intrusion detection and prevention systems (IDPS) to detect and block malicious activities in real-time.
• Regularly back up critical data and ensure backups are stored securely and tested for integrity.