Threats Feed

Charming Kitten group's latest malware, BellaCiao, targets Microsoft Exchange servers across the United States, Europe, the Middle East (Turkey), and India. The malware uses a unique communication approach with its command-and-control infrastructure and is tailored to suit individual targets. BellaCiao is a dropper malware that delivers other payloads based on instructions from the C2 server. The initial infection vector is suspected to be Microsoft Exchange exploit chains, and the malware establishes persistence by masquerading as legitimate Microsoft Exchange server processes.

Educated Manticore, an Iranian-aligned threat actor linked to the Phosphorus group, has been found targeting Israel with an improved arsenal of tools. The group adopts recent trends, using ISO images and other archive files to initiate infection chains. They have significantly enhanced their toolset with techniques such as .NET executables constructed as Mixed Mode Assembly. The final payload is an updated version of the implant PowerLess, previously attributed to Phosphorus ransomware operations. This evolution shows the group's continuous refinement of their toolsets and delivery mechanisms.

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

The Secureworks report details a phishing campaign by the Iranian threat group COBALT ILLUSION, which used a fake Atlantic Council employee, "Sara Shokouhi", to target researchers working on human rights in Iran. The campaign used stolen imagery and a fake online presence to build rapport before attempting to steal credentials or deploy malware. This tactic mirrors previous COBALT ILLUSION operations, highlighting the consistent use of sophisticated social engineering and data harvesting techniques to gather intelligence on behalf of the Iranian government. The report provides indicators of compromise (IOCs) to help mitigate further attacks.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

TA453, also known as Charming Kitten, has targeted sectors such as academia, defence, government, NGOs, think tanks and journalists in the UK and other regions of interest. The group uses spear phishing attacks, using open source reconnaissance to create tailored phishing emails. These emails are often sent from fake social media profiles or compromised email accounts. Once a relationship has been established, TA453 directs victims to malicious links or documents and steals credentials upon interaction. The group also exploits compromised email accounts to steal sensitive data, set up mail forwarding rules and facilitate further surveillance and future attacks.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

Since late 2020, threat actor TA453 has exhibited a shift in targeting and tactics. Previously targeting academics, diplomats, and journalists among others, TA453 has expanded to target medical researchers, aerospace engineers, realtors, and travel agencies. New tactics include the use of compromised accounts, malware, and confrontational lures. Despite this shift, Proofpoint assesses that TA453 operates in support of Iran's IRGC Intelligence Organization, indicating a broadening scope of cyber operations. The operations appear to focus on the US, Israel, and various European countries, targeting sectors like academia, diplomacy, journalism, human rights, and energy.

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

In April 2022, Iranian government-sponsored actors exploited the Log4Shell vulnerability in VMware Horizon servers, targeting a Federal Civilian Executive Branch (FCEB) organization. They installed XMRig crypto mining malware and used tools like Mimikatz and Ngrok for credential theft and tunneling. The attack involved disabling Windows Defender, downloading malicious files, hiding artifacts, and creating scheduled tasks for persistence. The campaign highlights advanced tactics in disabling security controls and maintaining persistent access. The targeted sector was the US government.

The Iranian APT group, Charming Kitten (APT35), targets human rights activities, academia, media organizations, and political entities in the US and Central Eastern countries. Notable attacks include the 2017 HBO hack, which led to leaked unaired TV episodes, and interference attempts in the 2019 US elections, primarily targeting email accounts. Tools used by APT35 include DownPaper, which utilizes PowerShell and registry manipulation, Mimikatz for credential dumping, PsExec for remote execution, and PupyRAT for cross-platform control via phishing techniques.

The Fully Undetectable (FUD) PowerShell backdoor report details a sophisticated attack beginning with a malicious Word document ("Apply Form.docm") used in a LinkedIn-based spearphishing campaign originating from Jordan. The document contains a macro that launches a PowerShell script, creating a scheduled task to execute further malicious actions. The backdoor communicates with its C2 server, executing various commands such as process list exfiltration, user enumeration, and Active Directory exploration. SafeBreach identified operational security mistakes allowing decryption of the C2 commands. The campaign, involving PowerShell scripts and scheduled tasks, targets systems for data exfiltration and potential lateral movement.

The Secureworks Counter Threat Unit analyzed a ransomware incident involving the Iranian COBALT MIRAGE threat group. The group exploited ProxyShell vulnerabilities, used a customized variant of Fast Reverse Proxy (FRPC) named TunnelFish, and encrypted servers using BitLocker. Despite attempts to erase their digital footprint, several tools and artifacts were recoverable, leading to the identification of associated individuals and entities, including Ahmad Khatibi, CEO of Afkar System Co., and Mansour Ahmadi, CEO of Najee Technology.

The Iran-aligned threat actor TA453 has introduced a novel technique known as Multi-Persona Impersonation (MPI) to its spear-phishing campaigns. This method involves the simultaneous use of multiple false identities to enhance the credibility of their social engineering attacks. Alongside MPI, TA453 uses a malicious Word document exploiting Remote Template Injection, codenamed "Korg," to exfiltrate data.

This Certfa Lab report details the cyber espionage activities of Charming Kitten (APT42), an Iranian state-sponsored hacking group. The report focuses on four specific operations ("Alfa," "Bravo," "Charlie," and "Delta"), illustrating how Charming Kitten uses sophisticated social engineering, primarily impersonating prominent individuals on LinkedIn and Twitter, to build trust with targets before delivering malicious links disguised as innocuous meeting requests or research materials. The attacks consistently leverage phishing to steal credentials, targeting researchers, academics, activists, and journalists with a particular focus on the Middle East and North Africa. The report aims to raise public awareness of Charming Kitten's tactics and provide recommendations for enhancing online security, particularly emphasizing the use of multi-factor authentication.

The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.

SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.