Earth Simnavaz (aka APT34) Attack Detection: Iranian Hackers Leverage Windows Kernel Vulnerability to Target UAE and Gulf Region

Earth Simnavaz (aka APT34) Attack Detection

Amid a spike in cyber-espionage efforts by North Korean APT groups targeting Southeast Asia under the SHROUDED#SLEEP campaign, cybersecurity experts are raising alarms about a parallel wave of attacks orchestrated by Iran-affiliated hackers. This newly discovered campaign focuses on spying on organizations across the UAE and Gulf regions. Known as Earth Simnavaz APT (also referred to as APT34 or OilRig), this group deploys advanced backdoor strains to abuse Microsoft Exchange servers and steal login credentials. In addition, they are exploiting a new critical Windows Kernel vulnerability (CVE-2024-30088) for privilege escalation, further enhancing their ability to infiltrate systems undetected.

Detect Earth Simnavaz (aka APT34) Attacks 

In 2024, APT groups from various global regions, such as China, North Korea, Iran, and russia, showed a marked increase in dynamic and innovative offensive capabilities, creating substantial challenges for the global cybersecurity landscape. To detect potential malicious activity at the early stages, cyber defenders can rely on SOC Prime Platform for collective cyber defense serving the world’s largest library of detection rules and actionable threat intelligence. 

Press the Explore Detections button below to explore a curated stack of Sigma rules addressing the most recent Earth Simnavaz campaign against the UAE and Gulf regions. The rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework to smooth out threat investigation. Additionally, the detections are enriched with extensive metadata, including CTI references, attack timelines, triage & audit recommendations, and more. 

Explore Detections

Furthermore, to retrospectively analyze the activities of Earth Simnavaz (APT34) and stay updated on the group’s evolving TTPs, cyber defenders can access a broader set of detection rules. Browse the Threat Detection Marketplace using the “APT34” tag or use the following link to explore the APT34 rule collection directly.

Earth Simnavaz aka APT34 Attack Analysis

The Iranian nation-backed hacking group tracked as Earth Simnavaz aka APT34 and OilRig has been observed leveraging CVE-2024-30088, a previously patched Windows Kernel elevation of privilege vulnerability during a cyber-espionage operation against the UAE and the wider Gulf region. Trend Micro has made research into Earth Simnavaz’s latest activities revealing new details about the evolution of the group’s offensive toolkit and the pressing threat it presents to the critical infrastructure organizations in the UAE. According to researchers, cyber-attacks linked to the APT34 group have significantly increased, focusing on government sectors in the Middle East.

In the latest attacks, Earth Simnavaz employs a novel advanced backdoor, which targets on-premises Microsoft Exchange servers to steal sensitive credentials, including accounts and passwords. The group also continues to exploit the dropped password filter policy DLL, enabling them to extract plain-text passwords, highlighting their evolving tactics and ongoing threats to organizations.

The advancing adversary toolkit also involves the group’s experimenting with the RMM tool ngrok, enabling attackers to tunnel traffic and maintain control over compromised systems. In addition, Earth Simnavaz leverages a mix of custom .NET tools, PowerShell scripts, and IIS-based malware to camouflage their activities within regular network traffic, evading traditional detection methods.

At the initial attack stage, adversaries weaponize a vulnerable web server to deploy a web shell, followed by using the ngrok utility to maintain persistence and move laterally within the network. Then attackers take advantage of the privilege escalation flaw, CVE-2024-30088, to deliver the STEALHOOK backdoor, which exfiltrates stolen data through the Exchange server as email attachments sent to an attacker-controlled address.

As APT34 increases its focus on the Middle East, specifically targeting government sectors in the Gulf region for cyber espionage and data theft, enhancing defenses against the group’s emerging threats is crucial for at-risk organizations. Rely on SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection to future-proof your organization’s cybersecurity posture while optimizing resource efficiency.  

The post Earth Simnavaz (aka APT34) Attack Detection: Iranian Hackers Leverage Windows Kernel Vulnerability to Target UAE and Gulf Region appeared first on SOC Prime.