When a false flag doesn’t work: Exploring the digital-crime underground at campaign preparation stage

At the beginning of October 2020 we found copy of a malicious document potentially to be attributed to an APT group known with the name of APT34 / OilRig. The attribution, based on several elements found within the malicious document, was firstly reported by a security researcher through a social network.

According the extracted evidences, the author “signed” this malicious document leaving his/her username within the document metadata. This nickname was already widely known within the Cyber Threat Intelligence field because attributed to a member of the already mentioned threat group.

Indeed this nickname is Iamfarhadzadeh, linked to Mohammad Farhadzadeh, believed to be a member of the hacking unit identified by the community as APT34 / OilRig. Considering this threat and proceeding further with our analysis we extracted several evidences that highlighted a connection with a common cyber-crime adversary. In particular the execution of the hidden macro permitted to download a copy of a malicious executable identified as a variant of AgentTesla that, to the best of our information, has no ties to the already reported threat actor.

These evidences headed our research team to dig further in order to understand who was behind this campaign and why that nickname was left within the meta-content. Our first hypothesis was a deliberate attempt to deceive security researchers pushing them to attribute the malicious campaign to a cyber-espionage operation by releasing a malicious document linked to a socio-politic event.

Download the full PDF report below: Adversary Tracking Report