Threats Feed

The Iranian state-sponsored threat actor MuddyWater has escalated its cyberattacks using the Atera Agent, a legitimate remote monitoring and management (RMM) tool. By exploiting Atera's free trial offers, MuddyWater registered agents with compromised or purpose-created email accounts and distributed them through spearphishing campaigns. The group's advanced social engineering and operational security tactics facilitated stealthier operations. Targeted sectors include Airlines, IT, Telecommunications, Pharmaceuticals, Automotive Manufacturing, Logistics, Travel and Tourism, and Employment/Immigration agencies across Israel, India, Algeria, Turkey, Italy, and Egypt.

The Iranian hacktivist group Lord Nemesis, also known as 'Nemesis Kitten,' targeted the Israeli academic sector via a supply chain attack on Rashim Software, a provider of academic administration and training software. They breached Rashim's infrastructure and accessed its clients, including numerous academic institutions, by using stolen credentials and exploiting admin accounts on customer systems. This allowed them to extract sensitive data, circumvent multi-factor authentication, and instill fear by releasing findings and sending ominous warnings. The attack highlights the significant risks posed by third-party vendors and demonstrates the group's sophisticated planning and understanding of targeted IT environments.

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

The Menorah malware, used by the APT34 threat group to target organisations in the Middle East, creates a mutex to ensure single-instance operation. The malware exfiltrates data and executes commands from a hardcoded command and control (C2) server. These commands include creating processes, listing files, downloading files and exfiltrating arbitrary data. The analysis provides technical details, including SHA256 hashes, mutex identifiers and the address of the C2 server, to aid detection and response efforts.

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

Charming Kitten, an Iran nexus threat actor group, used the Sponsor backdoor to target 34 entities across Brazil, Israel, and UAE. Initial access was gained by exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855). The campaign targeted various sectors, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. Sponsor backdoor, disguised as an updater program, used discreetly deployed batch files to evade detection. Charming Kitten also deployed tools like Plink, Merlin agent, Mimikatz, and Meterpreter reverse shells.

Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

APT33, an Iranian threat group active since 2013, targets multiple countries and sectors, primarily focusing on Saudi Arabia and the United States. The group employs spear phishing with malicious attachments and links, watering hole attacks, and uses both custom and commodity malware, including the Shamoon data-wiper. They exploit known vulnerabilities and leverage stolen credentials to gain access. Key targets include government, aerospace, petrochemical, engineering, finance, and telecom industries. APT33’s infrastructure includes domain masquerading and compromised servers. Recent activities include targeting cloud infrastructure and using spoofed domains to distribute malware.

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

Charming Kitten has intensified its cyber espionage operations targeting Iranian dissidents, legal professionals, journalists, and human rights activists in Germany and abroad. According to the German BfV, the group uses detailed social engineering and spoofed online identities to initiate contact and build trust. Victims are lured into video calls via phishing links that mimic legitimate platforms like Google or Microsoft. These links lead to credential-harvesting sites, often intercepting two-factor authentication as well. Stolen credentials are then used to access cloud services and extract personal data using tools like Google Takeout.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

FortiEDR's research lab discovered a series of attacks on a government entity in the United Arab Emirates. The attacks involved a novel PowerShell-based backdoor dubbed PowerExchange. The backdoor's command and control (C2) protocol used the victim's Exchange server for communication. Further investigations revealed additional implants and a new web shell named ExchangeLeech that could harvest credentials. Iranian threat actor APT34 is suspected to be behind the attacks, which involved phishing emails for initial access, lateral movement within the network, and using scheduled tasks for persistence.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

Educated Manticore, an Iranian-aligned threat actor linked to the Phosphorus group, has been found targeting Israel with an improved arsenal of tools. The group adopts recent trends, using ISO images and other archive files to initiate infection chains. They have significantly enhanced their toolset with techniques such as .NET executables constructed as Mixed Mode Assembly. The final payload is an updated version of the implant PowerLess, previously attributed to Phosphorus ransomware operations. This evolution shows the group's continuous refinement of their toolsets and delivery mechanisms.

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

The Secureworks report details a phishing campaign by the Iranian threat group COBALT ILLUSION, which used a fake Atlantic Council employee, "Sara Shokouhi", to target researchers working on human rights in Iran. The campaign used stolen imagery and a fake online presence to build rapport before attempting to steal credentials or deploy malware. This tactic mirrors previous COBALT ILLUSION operations, highlighting the consistent use of sophisticated social engineering and data harvesting techniques to gather intelligence on behalf of the Iranian government. The report provides indicators of compromise (IOCs) to help mitigate further attacks.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.