SideTwist

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via its unique MD5, SHA1, and SHA256 hashes, communicated with a Command and Control (CnC) server at IP address 11.0.188.38:443. The initial discovery of SideTwist dates back to April 2021 when it was documented as an implant used by APT34 capable of file download/upload and command execution. The latest variant of SideTwist is a .NET malware, an improved version of the original C-based SideTwist implant discovered in 2021. It has various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system. This version also includes enhanced traffic hashing for increased stealth and begins with a precise argument check. Another variant, Menorah, based on OilRig's original SideTwist malware, demonstrated similar capabilities along with compromised system file uploading. APT34's recent activities reveal an ongoing development and deployment of SideTwist variants. NSFOCUS uncovered an OilRig phishing attack that resulted in the deployment of a new variant of SideTwist malware. In addition, there are reports of an updated version of SideTwist being delivered as part of a phishing attack likely targeting U.S. businesses. These developments suggest that SideTwist is under continuous enhancement, indicating an evolving threat landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Menorah
1
The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Backdoor
Trojan
Malware
Implant
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT34Unspecified
2
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
OilRigUnspecified
2
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SideTwist Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
New Menorah malware bolsters OilRig APT's cyberespionage efforts
CERT-EU
9 months ago
APT34 Employs Weaponized Word Documents to Deploy New Malware Strain
CERT-EU
9 months ago
Iranian APT34 Employs Menorah Malware for Covert Operations
CERT-EU
9 months ago
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations
CERT-EU
10 months ago
Iranian Nation-State Actor OilRig Targets Israeli Organizations
CERT-EU
10 months ago
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant
CERT-EU
10 months ago
Hacker Group Disguised as Marketing Company to Attack Enterprise Targets
MITRE
a year ago
Iran’s APT34 Returns with an Updated Arsenal - Check Point Research