Threats Feed

Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.

The Iranian APT group MalKamak has been targeting aerospace and telecommunications companies in the Middle East since at least 2018, with additional victims in the US, Russia and Europe. The group uses ShellClient, a newly discovered remote access trojan (RAT), to conduct highly targeted cyberattacks. ShellClient uses Dropbox, a popular cloud-based service, for command and control (C2) operations, replacing the group's previous C2 infrastructure.

Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

The Iranian APT group Siamesekitten (Lyceum/Hexane) launched targeted cyberattacks on Israeli IT and technology firms in 2021 using advanced social engineering and supply chain tactics. The campaign impersonated HR personnel and organizations via phishing websites and LinkedIn profiles to distribute malware such as Milan and its successor Shark. Victims were infected with DanBot RAT through DNS tunneling and HTTPS C2 communication. The group also exploited legitimate tools like UltraVNC for remote access. Known for prior attacks on oil, gas, and telecom sectors in the Middle East and Africa, Siamesekitten’s recent focus highlights its shift to Israeli targets for espionage and data theft.

APT-C-50's Domestic Kitten surveillance operation, linked to the Iranian government, targets over 1,200 Iranian citizens including dissidents, opposition forces, and minorities. Since 2017, ten campaigns delivered the FurBall malware via Iranian blogs, Telegram channels, and SMS links. FurBall collects device data, call logs, SMS messages, and media files, tracking victims' activities. It leverages commercially available parental control software, KidLogger, for its operations. This extensive surveillance continues with four active campaigns as of November 2020.

The joint advisory from CISA and the FBI reveals that an Iranian advanced persistent threat (APT) actor targeted U.S. state websites, specifically election websites, in an attempt to influence the 2020 presidential election. The actor employed methods like scanning with Acunetix, exploiting public-facing applications, and using VPN services to masquerade their operations. The APT also attempted to access and distribute U.S. voter registration data, which was subsequently used in disinformation campaigns misleadingly attributed to domestic sources. The operations spanned from September 20 to October 17, 2020, aiming to compromise election infrastructure and gather sensitive information.

Iranian APTs are suspected of attempting to disrupt the U.S. electoral process to undermine public confidence and create discord among voters. These activities have included the creation of fictitious and spoofed media sites to distribute misinformation about voter issues, utilizing voter-registration data, and spreading anti-American sentiments. The APT groups have exploited critical vulnerabilities such as CVE-2020-5902 and CVE-2017-9248, impacting VPNs and content management systems, to conduct distributed denial-of-service (DDoS) attacks, SQL injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

The Lyceum APT targets the oil, gas and telecommunications sectors in the Middle East, focusing on credential theft and network infiltration through a multi-stage attack chain. The initial infection involves malicious Microsoft Office documents that deploy DanDrop, a VBA-based malware dropper that installs DanBot, a remote access Trojan used for ongoing control. The group also uses PowerShell scripts, including keyloggers and credential decryption tools, to gather sensitive data from Active Directory and RDCMan configurations. The sophisticated attack chain used by this cybercrime group highlights the ongoing threat to critical infrastructure in the Middle East.

Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.

The RogueRobin malware, developed by the DarkHydrus group, employs DNS tunneling for covert communications in cyberattacks targeting government and educational institutions. The malware appears in two variants: a PowerShell and a .NET executable, both facilitating commands and control operations via encoded DNS queries. This series explores differences in their operation, emphasizing persistence methods and anti-analysis tactics. The technical nuances of RogueRobin, including its innovative DNS record types, highlight its role in sophisticated cyber espionage campaigns.

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

DarkHydrus, an adversary group operating primarily in the Middle East, has resumed activities with new tactics, tools, and procedures (TTPs). Recently analyzed by security researchers, the group has been deploying a new variant of the RogueRobin trojan, which now utilizes Google Drive API for command and control (C2) communications. This shift to using legitimate cloud services for C2 indicates an evolution in their operational tactics. The trojan, delivered through macro-enabled Excel documents, exhibits sophisticated evasion techniques, including environment checks and dynamic DNS to mask its C2 communications. The analysis revealed the use of typosquatting and open-source penetration testing tools, underscoring the group’s persistent and evolving threat landscape.

The Domestic Kitten campaign, an Iranian surveillance operation active since 2016, targets Iranian citizens, including Kurdish and Turkish natives and ISIS supporters, using malicious mobile apps. These apps, disguised as legitimate, collect sensitive information such as contact lists, call records, SMS messages, browser history, geo-location, photos, and surrounding voice recordings. The stolen data is encrypted and exfiltrated to C&C servers, with IP addresses linked to Iranian origins. The operation's infrastructure suggests involvement by Iranian government entities like the IRGC and Ministry of Intelligence.

APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

The Flying Kitten group conducted extensive espionage and surveillance campaigns from 2013 to 2014. Utilizing spearphishing, social engineering, and the "Stealer" malware, they targeted high-profile individuals, security researchers, and various sectors. The campaigns involved compromised social media accounts and phishing domains to gather credentials and sensitive information. The malware recorded keystrokes, took screenshots, and collected system data, focusing on credential harvesting rather than file exfiltration. This activity impacted targets in the United States, Israel, and global academia and business sectors.

The Iranian cyber groups Flying Kitten and Rocket Kitten exhibited overlapping tactics in credential theft and spearphishing, targeting entities in sectors like media, education, and technology across the UK, US, and Iran. Utilizing domains that mimicked legitimate services, such as Google and Microsoft, they orchestrated phishing campaigns to harvest user credentials. Their operations involved shared phishing toolkits and malware, including a keylogger, with connections back to Iranian infrastructure. Despite cessation of Flying Kitten activities post-2014, their tools and tactics were resurrected by Rocket Kitten, highlighting the persistent threat posed by these actors.

A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.