Threats Feed

Charming Kitten has intensified its cyber espionage operations targeting Iranian dissidents, legal professionals, journalists, and human rights activists in Germany and abroad. According to the German BfV, the group uses detailed social engineering and spoofed online identities to initiate contact and build trust. Victims are lured into video calls via phishing links that mimic legitimate platforms like Google or Microsoft. These links lead to credential-harvesting sites, often intercepting two-factor authentication as well. Stolen credentials are then used to access cloud services and extract personal data using tools like Google Takeout.

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

FortiEDR's research lab discovered a series of attacks on a government entity in the United Arab Emirates. The attacks involved a novel PowerShell-based backdoor dubbed PowerExchange. The backdoor's command and control (C2) protocol used the victim's Exchange server for communication. Further investigations revealed additional implants and a new web shell named ExchangeLeech that could harvest credentials. Iranian threat actor APT34 is suspected to be behind the attacks, which involved phishing emails for initial access, lateral movement within the network, and using scheduled tasks for persistence.

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

Educated Manticore, an Iranian-aligned threat actor linked to the Phosphorus group, has been found targeting Israel with an improved arsenal of tools. The group adopts recent trends, using ISO images and other archive files to initiate infection chains. They have significantly enhanced their toolset with techniques such as .NET executables constructed as Mixed Mode Assembly. The final payload is an updated version of the implant PowerLess, previously attributed to Phosphorus ransomware operations. This evolution shows the group's continuous refinement of their toolsets and delivery mechanisms.

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

The Secureworks report details a phishing campaign by the Iranian threat group COBALT ILLUSION, which used a fake Atlantic Council employee, "Sara Shokouhi", to target researchers working on human rights in Iran. The campaign used stolen imagery and a fake online presence to build rapport before attempting to steal credentials or deploy malware. This tactic mirrors previous COBALT ILLUSION operations, highlighting the consistent use of sophisticated social engineering and data harvesting techniques to gather intelligence on behalf of the Iranian government. The report provides indicators of compromise (IOCs) to help mitigate further attacks.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

TA453, also known as Charming Kitten, has targeted sectors such as academia, defence, government, NGOs, think tanks and journalists in the UK and other regions of interest. The group uses spear phishing attacks, using open source reconnaissance to create tailored phishing emails. These emails are often sent from fake social media profiles or compromised email accounts. Once a relationship has been established, TA453 directs victims to malicious links or documents and steals credentials upon interaction. The group also exploits compromised email accounts to steal sensitive data, set up mail forwarding rules and facilitate further surveillance and future attacks.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

Since late 2020, threat actor TA453 has exhibited a shift in targeting and tactics. Previously targeting academics, diplomats, and journalists among others, TA453 has expanded to target medical researchers, aerospace engineers, realtors, and travel agencies. New tactics include the use of compromised accounts, malware, and confrontational lures. Despite this shift, Proofpoint assesses that TA453 operates in support of Iran's IRGC Intelligence Organization, indicating a broadening scope of cyber operations. The operations appear to focus on the US, Israel, and various European countries, targeting sectors like academia, diplomacy, journalism, human rights, and energy.

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

In April 2022, Iranian government-sponsored actors exploited the Log4Shell vulnerability in VMware Horizon servers, targeting a Federal Civilian Executive Branch (FCEB) organization. They installed XMRig crypto mining malware and used tools like Mimikatz and Ngrok for credential theft and tunneling. The attack involved disabling Windows Defender, downloading malicious files, hiding artifacts, and creating scheduled tasks for persistence. The campaign highlights advanced tactics in disabling security controls and maintaining persistent access. The targeted sector was the US government.

The Iranian APT group, Charming Kitten (APT35), targets human rights activities, academia, media organizations, and political entities in the US and Central Eastern countries. Notable attacks include the 2017 HBO hack, which led to leaked unaired TV episodes, and interference attempts in the 2019 US elections, primarily targeting email accounts. Tools used by APT35 include DownPaper, which utilizes PowerShell and registry manipulation, Mimikatz for credential dumping, PsExec for remote execution, and PupyRAT for cross-platform control via phishing techniques.

The Fully Undetectable (FUD) PowerShell backdoor report details a sophisticated attack beginning with a malicious Word document ("Apply Form.docm") used in a LinkedIn-based spearphishing campaign originating from Jordan. The document contains a macro that launches a PowerShell script, creating a scheduled task to execute further malicious actions. The backdoor communicates with its C2 server, executing various commands such as process list exfiltration, user enumeration, and Active Directory exploration. SafeBreach identified operational security mistakes allowing decryption of the C2 commands. The campaign, involving PowerShell scripts and scheduled tasks, targets systems for data exfiltration and potential lateral movement.

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.