Threats Feed

The Iranian APT group, Charming Kitten (APT35), targets human rights activities, academia, media organizations, and political entities in the US and Central Eastern countries. Notable attacks include the 2017 HBO hack, which led to leaked unaired TV episodes, and interference attempts in the 2019 US elections, primarily targeting email accounts. Tools used by APT35 include DownPaper, which utilizes PowerShell and registry manipulation, Mimikatz for credential dumping, PsExec for remote execution, and PupyRAT for cross-platform control via phishing techniques.

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.

A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.

Yellow Garuda has been observed using a new Telegram 'grabber' tool alongside Android malware for domestic targeting, including victims likely linked to the Iranian music industry. The threat actor has been active since 2012, primarily using phishing attacks to harvest credentials. Despite operational security errors, Yellow Garuda has expanded its toolset to include macro-enabled template files. The observed document lures used themes related to nuclear energy, weapons, US shipping ports, and Iran's relationship with the Taliban, indicating potential targeting of a wide range of sectors.

This Proofpoint report details the escalating targeting of journalists and media organisations by state-sponsored advanced persistent threats (APTs). The report highlights how groups linked to China (TA412, TA459), North Korea (TA404), Iran (TA453, TA456, TA457), and Turkey (TA482) are using a variety of methods, including phishing emails with malicious attachments or web beacons for reconnaissance and social media credential harvesting, to achieve their intelligence and propaganda goals. The report highlights the persistent nature of the threat, the variety of tactics used, and the importance of enhanced security measures for journalists to protect their sources and the integrity of their reporting. Ultimately, it aims to raise awareness of this specific cybersecurity threat and encourage proactive protection measures within the media sector.

This report from Check Point Research details an Iranian spear-phishing campaign targeting high-profile former Israeli and US officials. According to Check Point, the high-profile targets of this operation include Tzipi Livni, former Israeli Foreign Minister and Deputy Prime Minister; a former major general in the Israeli Defence Forces (IDF) who held a highly sensitive position; the chairman of a leading Israeli security think tank; a former US ambassador to Israel; the former chairman of a prominent Middle East research centre; and a senior executive in the Israeli defence industry. The attackers used sophisticated techniques, including email thread hijacking and a custom URL shortener, to trick victims into revealing sensitive information. A legitimate identity verification service was also exploited to steal identity documents. The report analyses the attack infrastructure, methods and possible attribution to the Iran-linked Phosphorus APT group, suggesting a motive that may be linked to escalating geopolitical tensions between Iran and Israel. The ultimate goal appears to be access to victims' inboxes and personally identifiable information (PII), although the possibility of physical harm is also considered.

Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

In early February 2022, the TunnelVision threat actor exploited a vulnerable VMware Horizon server using the Log4Shell vulnerability (CVE-2021-44228) to gain unauthorized access. The attack involved suspicious account creation, credential harvesting, and lateral movement using PSexec and RDP. The adversaries also harvested credentials using Procdump and downloaded Sysinternals and SSH tools. The intrusion was attributed to the Iranian-aligned TunnelVision activity cluster, based on observed TTPs and artifacts. The targeted sectors and countries are not specified in the report.

Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.

APT35 has used multiple tactics to compromise high-value targets. The group has used hijacked websites, such as one affiliated with a UK university, for credential phishing attacks. They have also uploaded spyware disguised as VPN software to app stores and impersonated conference officials to conduct phishing campaigns. Additionally, APT35 has utilized link shorteners and click trackers embedded within PDF files and abused services like Google Drive, App Scripts, and Sites pages. The group has adopted a novel approach by leveraging Telegram for real-time operator notifications, enabling them to monitor visitor information to their phishing sites.

Iranian-state aligned actor TA453 has been covertly targeting individuals of intelligence interest to the Iranian government by masquerading as British scholars from the University of London's School of Oriental and African Studies (SOAS). The threat actor, targeted Middle Eastern experts, senior professors, and journalists. TA453 compromised a legitimate academic website to deliver personalized credential harvesting pages.

In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.

In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.

The Iranian APT group Charming Kitten impersonated Israeli cybersecurity firm ClearSky by creating a phishing website that mimicked the legitimate Clearskysec.com domain. The fake site, hosted on an older compromised server, replicated ClearSky's public web pages and included phishing login options to harvest credentials. ClearSky identified the incomplete site, which was taken down before it could affect any victims. Charming Kitten has previously targeted academic researchers, human rights activists, media outlets and political consultants in Iran, the US, UK and Israel. Known for spear-phishing, impersonating organisations, and deploying malware such as DownPaper, this campaign underscores the ongoing threat to security researchers and geopolitical targets.

Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.

The report details the Magic Hound cyber campaign targeting primarily Saudi Arabia. The campaign leveraged spearphishing emails with malicious attachments and links, PowerShell scripts, Windows Command Shell, and obfuscation techniques like XOR and Base64 encoding. Additionally, the attackers utilized HTTP and HTTPS protocols for command and control communication.

The MacDownloader malware, initially observed targeting the defense industrial base and a human rights advocate, impersonates legitimate software like Adobe Flash Player and Bitdefender Adware Removal Tool to steal system information and macOS Keychain data. It reflects initial development efforts by possibly amateur Iranian-affiliated actors and is linked to previously documented Iranian operations targeting aerospace and defense employees. The malware, which also gathers user credentials, lacks effective persistence features and uses similar infrastructure as previous campaigns attributed to the Iranian group Charming Kitten.