APT34 uses weaponized Word documents to deploy malware | spcilvly

APT34 is a secret cyber espionage group specializing in Middle East targets, known for gathering sensitive intelligence through phishing and advanced infiltration methods.

The sophistication and comprehensive resources of the APT34 group pose a significant threat to regional and global cybersecurity.

They have carried out high-profile cyber attacks in the Middle East against various targets: –

  • Governmental agencies
  • Critical infrastructure
  • Telecommunications
  • Key regional entities

Cybersecurity researchers at Trend Micro recently detected new APT34-associated malware, called Menorah, in a phishing attack in August.

This newly identified malware was delivered via a malicious document and was specifically designed for cyber espionage activities with the following capabilities:-

  • Machine identification
  • read files
  • Upload files
  • Download files
  • Download additional malware


Free Trial

Implementing “Trustifi” AI-powered email security solutions can protect your business from today’s most dangerous email threats such as tracking, blocking, modification, phishing, account takeover, business email compromise, malware and ransomware.

Infection chain

When a victim opens a malicious document, the infection chain begins, triggering the creation of a scheduled task that establishes persistence.

Infection chain
Chain of infection (Source – Trend Micro)

While the hidden macros that are present in the document place a .NET malware named “Menorah.exe” in the following directory:-

  • <%ALLUSERSPROFILE%\Office356>

Next, program Menorah.exe to run under the name “OneDriveStandaloneUpdater”, with some macros that handle string manipulation, decoding, and task creation.

Macros for string transformation
Macros for string transformation (Source – Trend Micro)

APT34: Malicious Word Documents

The malicious document .NET malware excels at cyberespionage, with abilities such as fingerprinting, file manipulation, and remote commands.

The latest variant of SideTwist increases stealth with improved traffic hashing and starts with precise argument checking.

Without the argument, the malware stops executing, allowing it to evade detection in analytical environments such as sandboxes.

Analysts found the C&C server and a timer at http(:)//tecforsc-001-site1(.)gtempurl.com/ads.asp, used for communication every 32 seconds. The malware fingerprints the machine as {MachineNameUsername} and encrypts it to calculate the MD5 hash.

The MD5 hash and {MachineNameUsername} format are XORed with a string, Base64 encoded, and sent to the C&C server via an HTTP request as a system fingerprint.

Sending the 'fingerprint' of the victim system
Sending the ‘fingerprint’ of the victim system (Source – Trend Micro)

During analysis, it was anticipated that the down C&C server would return an encrypted message, likely Base64 encoded.

The decrypted message is divided into an array, and each value dictates specific actions by the malware.

The continuous development of APT34 shows its adaptability. They leverage resources and various skills to customize tactics for specific targets, ensuring successful cyberespionage.


  • SHA256: 8a8a7a506fd57bde314coe6154f2484f280049f2bda504d43704b9ad412d5d618
  • Trojan.W97M.SIDETWIST.AB (Detections)
  • SHA256: 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
  • Trojan.MSIL.SIDETWIST.AA (Detections)


  • hxxp://tecforsc-001-site1(.)gtempurl(.)com/ads.asp

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.

Leave a Reply

Your email address will not be published. Required fields are marked *