SideTwist

Malware updated 5 months ago (2024-05-04T16:15:42.439Z)
Download STIX
Preview STIX
SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via its unique MD5, SHA1, and SHA256 hashes, communicated with a Command and Control (CnC) server at IP address 11.0.188.38:443. The initial discovery of SideTwist dates back to April 2021 when it was documented as an implant used by APT34 capable of file download/upload and command execution. The latest variant of SideTwist is a .NET malware, an improved version of the original C-based SideTwist implant discovered in 2021. It has various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system. This version also includes enhanced traffic hashing for increased stealth and begins with a precise argument check. Another variant, Menorah, based on OilRig's original SideTwist malware, demonstrated similar capabilities along with compromised system file uploading. APT34's recent activities reveal an ongoing development and deployment of SideTwist variants. NSFOCUS uncovered an OilRig phishing attack that resulted in the deployment of a new variant of SideTwist malware. In addition, there are reports of an updated version of SideTwist being delivered as part of a phishing attack likely targeting U.S. businesses. These developments suggest that SideTwist is under continuous enhancement, indicating an evolving threat landscape.
Description last updated: 2024-05-04T16:15:42.392Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT34 Threat Actor is associated with SideTwist. APT34, also known as OilRig, Helix Kitten, and Hazel Sandstorm, is a threat actor group suspected to be linked to Iran. This group has been operational since at least 2014 and is believed to be involved in long-term cyber espionage operations largely focused on reconnaissance efforts to benefit IranUnspecified
2
The OilRig Threat Actor is associated with SideTwist. OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten, is a notorious threat actor linked to numerous malicious activities. The group has been associated with various well-known campaigns such as DarkHydrus, xHunt, SUNBURST, and Decoy Dog, all of which leveragedUnspecified
2