Threats Feed

Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

The Iranian APT group Siamesekitten (Lyceum/Hexane) launched targeted cyberattacks on Israeli IT and technology firms in 2021 using advanced social engineering and supply chain tactics. The campaign impersonated HR personnel and organizations via phishing websites and LinkedIn profiles to distribute malware such as Milan and its successor Shark. Victims were infected with DanBot RAT through DNS tunneling and HTTPS C2 communication. The group also exploited legitimate tools like UltraVNC for remote access. Known for prior attacks on oil, gas, and telecom sectors in the Middle East and Africa, Siamesekitten’s recent focus highlights its shift to Israeli targets for espionage and data theft.

APT-C-50's Domestic Kitten surveillance operation, linked to the Iranian government, targets over 1,200 Iranian citizens including dissidents, opposition forces, and minorities. Since 2017, ten campaigns delivered the FurBall malware via Iranian blogs, Telegram channels, and SMS links. FurBall collects device data, call logs, SMS messages, and media files, tracking victims' activities. It leverages commercially available parental control software, KidLogger, for its operations. This extensive surveillance continues with four active campaigns as of November 2020.

The Lyceum APT targets the oil, gas and telecommunications sectors in the Middle East, focusing on credential theft and network infiltration through a multi-stage attack chain. The initial infection involves malicious Microsoft Office documents that deploy DanDrop, a VBA-based malware dropper that installs DanBot, a remote access Trojan used for ongoing control. The group also uses PowerShell scripts, including keyloggers and credential decryption tools, to gather sensitive data from Active Directory and RDCMan configurations. The sophisticated attack chain used by this cybercrime group highlights the ongoing threat to critical infrastructure in the Middle East.

Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

The Domestic Kitten campaign, an Iranian surveillance operation active since 2016, targets Iranian citizens, including Kurdish and Turkish natives and ISIS supporters, using malicious mobile apps. These apps, disguised as legitimate, collect sensitive information such as contact lists, call records, SMS messages, browser history, geo-location, photos, and surrounding voice recordings. The stolen data is encrypted and exfiltrated to C&C servers, with IP addresses linked to Iranian origins. The operation's infrastructure suggests involvement by Iranian government entities like the IRGC and Ministry of Intelligence.

APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

The Flying Kitten group conducted extensive espionage and surveillance campaigns from 2013 to 2014. Utilizing spearphishing, social engineering, and the "Stealer" malware, they targeted high-profile individuals, security researchers, and various sectors. The campaigns involved compromised social media accounts and phishing domains to gather credentials and sensitive information. The malware recorded keystrokes, took screenshots, and collected system data, focusing on credential harvesting rather than file exfiltration. This activity impacted targets in the United States, Israel, and global academia and business sectors.

A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.

The Iranian threat agent CopyKittens compromised multiple Israeli websites, including the Jerusalem Post, and one Palestinian Authority website between October 2016 and January 2017. The attackers bought access to the server to gain the access, inserting a single line of Javascript into existing libraries. This enabled them to load further malicious Javascript from a domain they controlled, selectively targeting users based on their IP addresses. The malicious payload used was the BeEF Browser Exploitation Framework.

CopyKitten, a known cyber-attack group, has launched a spearphishing campaign targeting the Israeli government’s Ministry of Communications. The investigation commenced with the identification of a suspicious domain that led to multiple related domains. One such domain closely mimicked the Israeli Prime Minister's SSL VPN login page and was used to drop a malicious Word document titled "Annual Survey.docx." This document had an embedded OLE object that communicated with a C2 server, signifying a well-planned attack. The campaign appears to be part of CopyKitten's ongoing activities against Israeli interests.

The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

In mid-November 2016, Mandiant responded to the Shamoon 2.0 malware attack targeting organizations in the Gulf states, marking the return of the suspected Iranian hacker group "Cutting Sword of Justice." This updated version of the 2012 Shamoon malware features embedded credentials, suggesting previous targeted intrusions for credential harvesting. Shamoon 2.0 performs subnet scanning, uses domain-specific credentials for unauthorized access, modifies system registries, and schedules tasks for execution. Its payload involves overwriting system files and wiping boot records, notably shifting imagery from a burning U.S. flag to a photograph of Alan Kurdi, symbolizing a devastating critique through cyber vandalism.

Clearsky's "Thamar Reservoir" report details a sustained Iranian cyber-attack campaign targeting over 550 individuals, primarily in the Middle East. The attacks, which began in 2014, used a variety of techniques, including spear-phishing emails with malware, phone calls, and compromised websites to create fake login pages. The attackers were persistent but lacked technical sophistication and made mistakes that aided the investigation. The report concludes that the campaign's targets and methods strongly suggest Iranian state sponsorship, and links it to other known Iranian cyber operations.