APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram

A group of hackers named “Lab Dookhtegan” leaked APT 34 Hacking Group owned powerful hacking tools, Malware source code and Web shell URL’s leaked via their Telegram channel which contains nearly 30 members.

APT 34, a Well known hacking group believed to be originated from the Ministry of Intelligence of Iran that appears to target financial, energy, telecommunications, and chemical companies around the world.

This leaks against APT 34 on Telegram contains malware source code, PowerShell Payload, a server-side module which is the c2 made in node.js, ASP Webshell, dubbed “HighShell” that has more than 30k lines of code.

They started to leak the data since March 26 on Telegram via an archive file with source code by an unknown individual from Dookhtegan group.

An archive dubbed “Poison Frog” contains a Panel with the parts of server-side and the payload in PowerShell was written by APT 34, an Iranian Cyber espionage group.

Another part appeared with an archive of 120 Webshell URLs in a variety of various countries domain.

A PowerShell responsible a the first stage of payload and connect with C2 to download another 2 main PoweShell payloads.

According to misterch0c who has analysed this samples said” It also creates a scheduled task, one has the administrator and one has a normal user, these tasks will run the two dropped Powershell scripts “

These samples were first seen on VirusTotal, only 2 antiviruses detected them as malicious.

DNSpionage Tool & WebShell On Telegram

DNS hijacking tool called DNSpionage also a part of this leaks and the Tool is developed by APT 34 to perform MITM Attack to steal the authentication details through Hijacking the DNS.


Image: GBHackers On Security
WellShell for secret communication

For the same case, An individual from Mr_L4nnist3r, brand new Twitter account has contacted x0rz said that he was a former developer of APT34.

He has access to the top-secret data and hacking tools of the Ministry of Intelligence of Iran and also Mr_L4nnist3r claimed to be responsible for DNSpionage, a cyber attack campaign attributed to Iran.

“The files are clearly related to hacking activities, mentioning internal servers of targets, webshell URLs and such. Only what a threat actor could harvest. Which means that either Mr_L4nnist3r is a former operator from APT34, or that APT34 (the MOIS) has been breached by a third party”x0rz said.

Lab Dookhtegan Hackers group in Telegram claims that they having more information about the MOIS and also said, “we are determined to continue to expose them”.

Dookhtegan also leaked data about some of the past APT34 operations, listing the IP addresses and domains of Iranian Ministry of Intelligence in the same Telegram group.

Apart from the tools that posted in group, the hackers who operate this leak against APT34 keeps destroying the control panels of APT34 hacking tools and posting the images in the same Telegram Group.

Image: GBHackers On Security

Many experts have been tested these leaked tools and confirmed its authenticity as it was originally from APT 34.

Indicator Of Compromise

myleftheart.com
C:\Users\Public\Public\atag[0-9]{4}[A-Z]{2}
C:\Users\Public\Public\dUpdater.ps1
C:\Users\Public\Public\hUpdated.ps1
C:\Users\Public\Public\UpdateTask.vbs
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
Shells:
hxxps://202.183.235.31/owa/auth/signout.aspx
hxxps://202.183.235.4/owa/auth/signout.aspx
hxxps://122.146.71.136/owa/auth/error3.aspx
hxxps://59.124.43.229/owa/auth/error0.aspx
hxxps://202.134.62.169/owa/auth/signin.aspx
hxxps://202.164.27.206/owa/auth/signout.aspx
hxxps://213.14.218.51/owa/auth/logon.aspx
hxxps://88.255.182.69/owa/auth/getidtoken.aspx
hxxps://95.0.139.4/owa/auth/logon.aspx
hxxps://1.202.179.13/owa/auth/error1.aspx
hxxps://1.202.179.14/owa/auth/error1.aspx
hxxps://114.255.190.1/owa/auth/error1.aspx
hxxps://180.166.27.217/owa/auth/error3.aspx
hxxps://180.169.13.230/owa/auth/error1.aspx
hxxps://210.22.172.26/owa/auth/error1.aspx
hxxps://221.5.148.230/owa/auth/outlook.aspx
hxxps://222.178.70.8/owa/auth/outlook.aspx
hxxps://222.66.8.76/owa/auth/error1.aspx
hxxps://58.210.216.113/owa/auth/error1.aspx
hxxps://60.247.31.237/owa/auth/error3.aspx
hxxps://60.247.31.237/owa/auth/logoff.aspx
hxxps://202.104.127.218/owa/auth/error1.aspx
hxxps://202.104.127.218/owa/auth/exppw.aspx
hxxps://132.68.32.165/owa/auth/logout.aspx
hxxps://132.68.32.165/owa/auth/signout.aspx
hxxps://209.88.89.35/owa/auth/logout.aspx
hxxps://114.198.235.22/owa/auth/login.aspx
hxxps://114.198.237.3/owa/auth/login.aspx
hxxps://185.10.115.199/owa/auth/logout.aspx
hxxps://195.88.204.17/owa/auth/logout.aspx
hxxps://46.235.95.125/owa/auth/signin.aspx
hxxps://51.211.184.170/owa/auth/owaauth.aspx
hxxps://91.195.89.155/owa/auth/signin.aspx
hxxps://82.178.124.59/owa/auth/gettokenid.aspx
hxxps://83.244.91.132/owa/auth/logon.aspx
hxxps://195.12.113.50/owa/auth/error3.aspx
hxxps://78.100.87.199/owa/auth/logon.aspx
hxxps://110.74.202.90/owa/auth/errorff.aspx
hxxps://211.238.138.68/owa/auth/error1.aspx
hxxps://168.63.221.220/owa/auth/error3.aspx
hxZps://213.189.82.221/owa/auth/errorff.aspx
hxxps://205.177.180.161/owa/auth/erroref.aspx
hxxps://77.42.251.125/owa/auth/logout.aspx
hxxps://202.175.114.11/owa/auth/error1.aspx
hxxps://202.175.31.141/owa/auth/error3.aspx
hxxps://213.131.83.73/owa/auth/error4.aspx
hxxps://187.174.201.179/owa/auth/error1.aspx
hxxps://200.33.162.13/owa/auth/error3.aspx
hxxps://202.70.34.68/owa/auth/error0.aspx
hxxps://202.70.34.68/owa/auth/error1.aspx
hxxps://197.253.14.10/owa/auth/logout.aspx
hxxps://41.203.90.221/owa/auth/logout.aspx
hxxp://www.abudhabiairport.ae/english/resources.aspx
hxxps://mailkw.agility.com/owa/auth/RedirSuiteService.aspx
hxxp://www.ajfd.gov.ae/_layouts/workpage.aspx
hxxps://mail.alfuttaim.ae/owa/auth/change_password.aspx
hxxps://mail.alraidah.com.sa/owa/auth/GetLoginToken.aspx
hxxp://www.alraidah.com.sa/_layouts/WrkSetlan.aspx
hxxps://webmail.alsalam.aero/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/owa/auth/Timeoutctl.aspx
hxxps://webmail.bix.bh/owa/auth/EventClass.aspx
hxxps://webmail.bix.bh/ecp/auth/EventClass.aspx
hxxps://webmail.citc.gov.sa/owa/auth/timeout.aspx
hxxps://mail.cma.org.sa/owa/auth/signin.aspx
hxxps://mail.dallah-hospital.com/owa/auth/getidtokens.aspx
hxxps://webmail.dha.gov.ae/owa/auth/outlookservice.aspx
hxxps://webmail.dnrd.ae/owa/auth/getidtoken.aspx
hxxp://dnrd.ae:8080/_layouts/WrkStatLog.aspx
hxxps://www.dns.jo/statistic.aspx
hxxps://webmail.dsc.gov.ae/owa/auth/outlooklogonservice.aspx
hxxps://e-albania.al/dptaktkonstatim.aspx
hxxps://owa.e-albania.al/owa/auth/outlookdn.aspx
hxxps://webmail.eminsco.com/owa/auth/outlookfilles.aspx
hxxps://webmail.eminsco.com/owa/auth/OutlookCName.aspx
hxxps://webmail.emiratesid.ae/owa/auth/RedirSuiteService.aspx
hxxps://mailarchive.emiratesid.ae/EnterpriseVault/js/jquery.aspx
hxxps://webmail.emiratesid.ae/owa/auth/handlerservice.aspx
hxxp://staging.forus.jo/_layouts/explainedit.aspx
hxxps://government.ae/tax.aspx
hxxps://formerst.gulfair.com/GFSTMSSSPR/webform.aspx
hxxps://webmail.ictfund.gov.ae/owa/auth/owaauth.aspx
hxxps://jaf.mil.jo/ShowContents.aspx
hxxp://www.marubi.gov.al/aspx/viewpercthesaurus.aspx
hxxps://mail.mindware.ae/owa/auth/outlooktoken.aspx
hxxps://mail.mis.com.sa/owa/auth/Redirect.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redireservice.aspx
hxxps://webmail.moe.gov.sa/owa/auth/redirectcache.aspx
hxxps://gis.moei.gov.ae/petrol.aspx
hxxps://gis.moenr.gov.ae/petrol.aspx
hxxps://m.murasalaty.moenr.gov.ae/signproces.aspx
hxxps://mail.mofa.gov.iq/owa/auth/RedirSuiteService.aspx
hxxp://ictinfo.moict.gov.jo/DI7Web/libraries/aspx/RegStructures.aspx
hxxp://www.mpwh.gov.jo/_layouts/CreateAdAccounts.aspx
hxxps://mail.mygov.ae/owa/auth/owalogin.aspx
hxxps://ksa.olayan.net/owa/auth/signin.aspx
hxxps://mail.omantourism.gov.om/owa/auth/GetTokenId.aspx
hxxps://email.omnix-group.com/owa/auth/signon.aspx
hxxps://mail.orange-jtg.jo/OWA/auth/signin.aspx
hxxp://fwx1.petra.gov.jo/SEDCOWebServer/global.aspx
hxxp://fwx1.petranews.gov.jo/SEDCOWebServer/content/rtl/QualityControl.aspx
hxxps://webmail.presflt.ae/owa/auth/logontimeout.aspx
hxxps://webmail.qchem.com/OWA/auth/RedirectCache.aspx
hxxps://meet.saudiairlines.com/ClientResourceHandler.aspx
hxxps://mail.soc.mil.ae/owa/auth/expirepw.aspx
hxxps://email.ssc.gov.jo/owa/auth/signin.aspx
hxxps://mail.sts.com.jo/owa/auth/signout.aspx
hxxp://www.sts.com.jo/_layouts/15/moveresults.aspx
hxxps://mail.tameen.ae/owa/auth/outlooklogon.aspx
hxxps://webmail.tra.gov.ae/owa/auth/outlookdn.aspx
hxxp://bulksms.umniah.com/gmgweb/MSGTypesValid.aspx
hxxps://evserver.umniah.com/index.aspx
hxxps://email.umniah.com/owa/auth/redirSuite.aspx
hxxps://webmail.gov.jo/owa/auth/getidtokens.aspx
hxxps://www.tra.gov.ae/signin.aspx
hxxps://www.zakatfund.gov.ae/zfp/web/tofollowup.aspx
hxxps://mail.zayed.org.ae/owa/auth/espw.aspx
hxxps://mail.primus.com.jo/owa/auth/getidtoken.aspx
C2 Servers
185.56.91.61
46.165.246.196
185.236.76.80
185.236.77.17
185.181.8.252
185.191.228.103
70.36.107.34
109.236.85.129
185.15.247.140
185.181.8.158
178.32.127.230
146.112.61.108
23.106.215.76
185.20.187.8
95.168.176.172
173.234.153.194
173.234.153.201
172.241.140.238
23.19.226.69
185.161.211.86
185.174.100.56
194.9.177.15
185.140.249.63
81.17.56.249
213.227.140.32
46.105.251.42
185.140.249.157
198.143.182.22
213.202.217.9
158.69.57.62
168.187.92.92
38.132.124.153
176.9.164.215
88.99.246.174
190.2.142.59
103.102.44.181
217.182.217.122
46.4.69.52
185.227.108.35
172.81.134.226
103.102.45.14
95.168.176.173
142.234.200.99
194.9.179.23
194.9.178.10
185.174.102.14
185.236.76.35
185.236.77.75
185.161.209.157
185.236.76.59
185.236.78.217
23.227.201.6
185.236.78.63

Related Read

Hackers Hijacked Popular Video Editing Software Website to Drop Sophisticated Malware via Download Links

New Highly Advanced APT Malware Framework TajMahal that Goes Undetected for 5 years

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago