Threats Feed|Yellow Garuda|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date22/07/2022

Yellow Garuda's New Arsenal: Telegram 'Grabber' Tool and Android Malware in Focus

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Malware,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

Yellow Garuda has been observed using a new Telegram 'grabber' tool alongside Android malware for domestic targeting, including victims likely linked to the Iranian music industry. The threat actor has been active since 2012, primarily using phishing attacks to harvest credentials. Despite operational security errors, Yellow Garuda has expanded its toolset to include macro-enabled template files. The observed document lures used themes related to nuclear energy, weapons, US shipping ports, and Iran's relationship with the Taliban, indicating potential targeting of a wide range of sectors.

Detected Targets

TypeDescriptionConfidence
SectorCivic
Medium
RegionIran
Verified
RegionTurkey
Medium
RegionUnited States
Medium

Extracted IOCs

  • office-updates[.]info
  • official-updates[.]info
  • dl.dropboxusercontent[.]com
  • drive.google[.]com
  • s3.amazonaws[.]com
  • u1ndk6f4nf.execute-api.us-east-1.amazonaws[.]com
  • 12a172b74d0c080217bf0b883c109a6b
  • 14c095de9da5fbba5548d9fea65c8b2d
  • 1d64ddd5a2c0fae5817235ab9ddf334f
  • 381bb58655a194e75763fb01a36e5c7b
  • 45b50d42e8d827ca0373c12533211c33
  • 4ae177a37658c82adad3265ad3cce662
  • 55748b22a52823a3ccb5d8b106826cec
  • 5816f687ce49588aae2584bb5e9f652f
  • 651d72776c0394693c25b1e3c9ec55d0
  • 6a1dca07dafd2eebd99aba7c31ace928
  • 88fd6260d23f01213d3e2abee74db4a2
  • 949cc35be1b366eaad94ea03cf862d6e
  • 96be653e085046ed518ad3ce48fc4190
  • aba932b87072f479445a323b183cc29b
  • b78483179f85d3c8e23733ebd114e10e
  • b7bc6a853f160df2cc64371467ed866d
  • b8045bebc39a8fff666803a5163173d8
  • bddebaea4bf45f6b464d68a7b8e07b92
  • bdf188b3d0939ec837987b4936b19570
  • c711036ef1805fea9dc2c8e633b961fd
  • d16f4bf877445e9fca422dc736db64cf
  • db998d8182f4afd9f42bb289c508a1f3
  • e66136da3bb11795da64f038ec4610b8
  • eb51402e73a86800cdce3a50c9c804fe
  • f7b0da0dca597f3e61f53000814f8148
  • 26ed903a997d8f9dfee10435e8930a9b24bd46f9
  • 2b5056c31ca2a54e6bccc1912eee522dcf16cd94
  • 40dc7101e1991672b5f60523e69ed5787a9dc4fa
  • 48b110b088d4fd8381990dbd6cbb23abeb87b422
  • 5c0e8bd70e2dd49d45937ccc3f38de61d356384c
  • 6df60e871d14996c4826a8c2355d64d3aabbfab6
  • 71028a08ec0d64dff36cf5405997501278b949f9
  • 72c4fe68520c0307367b0865b29215d1fc6e2c32
  • 78b4ba41d2de822061d1f3e0c43d13d564f10871
  • 82a0d684a1e144a7f9f874e652597155bb12ae92
  • 85f1e02cb5f5c38b848c282187c3ceee7d544e13
  • 914a8da21feaab56fecbdc997710566775850617
  • 930e4757740aaefd9cb567faf301816fbe37c1c3
  • 9f9a5e7c24f8f2ab030ce875736d80e541156003
  • a81d2c633e938a04f486dea3b245e87dc498bc02
  • a8e7784df801cea9cb6278762437314bb42d1966
  • aba938bf8dc5445df3d5b77a42db4d6643db4383
  • affe20def567eb63447f2a3aad3927d52384db59
  • b3adc3d81853185f65dbd278fbba7f795e4a3259
  • b785169c5fbaff8e205d6d58783706fc07208d59
  • b98a24144067ec3605e84158e12d6498222295ae
  • cc9f460e593522e57b66fed9a34d3ba332391165
  • e3712e3d818e63060e30aec2a6db3598cbf0db92
  • e45aeccb798f5cf6cb5d877821d1f4aa7f55cf6f
  • f39c5689887f5b94741e285cd867e1475111499e
  • 009df256bce5971edaab72c19c4ebcc9296e203a2ef447557c0796d86217d1d3
  • 01ca3f6dc5da4b98915dd8d6c19289dcb21b0691df1bb320650c3eb0db3f214c
  • 141ae6d29118b099d5ef8ee0daa7a4714447d5aa13ce43563e21900014f1db7d
  • 28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
  • 41b37de3256a5d1577bbed4a04a61bd7bc119258266d2b8f10a9bb7ae7c0d4ec
  • 435f61ad26b729e1d7813454ff8279c52ebd928a3d1dd824cb9267189991565d
  • 49218f19e3dc89ab2698f9e23f37d16a97b410de91226bb24e65c8392b74de93
  • 4cddb6a4fbf8771ee3180b974fc12c8261880a213a4bf36b1e910e1c1df847cf
  • 4f85a533e6d25fb281639f9fb4b4f817faab2b291a7835c267f29c27728247f9
  • 57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72
  • 5987f958d758866ccea33437c53276382f9c362fc33e81d342b616dc70aeb78f
  • 5a9b1bf53e47cbecf41259f31d06f86dcf62b7858debd680c0a232de3577669a
  • 6710d037801471826817596fa71637eecda4f58cddf47bbb48b3984b21582721
  • 6b84eebded654d29b63f931a28e5fc4318aaf32604d1ad2f14e4a87b7a499206
  • 6e4e195c2d60aec5a75f287f2b27ade3204390ace9ad4dec07753234fb148b57
  • 725bdf594baa21edf1f3820b0daf393267066717832452598c617552a004e5da
  • 7709a06467b8a10ccfeed72072a0985e4e459206339adaea3afb0169bace024e
  • 7ea6cb74238d3f0099d4b9c42dd7301b9fb903b62f1f2e06ef73ade533691a69
  • a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78
  • ada1e14da19338f2fa009254a993c6b6607e9a328499c3a762d6652ca8edee5e
  • c0d5043b57a96ec00debd3f24e09612bcbc38a7fb5255ff905411459e70a6bb4
  • c45bffb5fe7056075b966608e6b6bf82102f722b5c5d8a9c55631e155819d995
  • dd28806d63f628dbc670caaa67379da368e62fa9edfbdfd37d3a91354df08e1c
  • f09fa790f8b3bf59f44093ae18e8c9ec95b54fb8dab5039e9bfd09b12b815950
  • f1651ffda0d45e6c37cd31c0ed83d9bd08c33acbd3647cbdd8b22b804ce8d6a3
  • 138[.]201.145.183
  • 51[.]38.87.253
  • hxxp://office-updates[.]info/2022/details.dotm
  • hxxp://office-updates[.]info/static/admin/storage/arabic.dotm
  • hxxp://office-updates[.]info/static/admin/storage/details.dotm
  • hxxp://official-updates[.]info/office/default.dotm
  • hxxps://dl.dropboxusercontent[.]com/s/psmt483ybusajvy/turkey.docx?dl=0
  • hxxps://drive.google[.]com/uc?export=download&id=13_pt71n8ujl2lstcqcyfj4tneti-wvdf&did=1645099370036&linkname=download%20file
  • hxxps://s3.amazonaws[.]com/2v63r9egi46/hgn8fdsf512fsc5
  • hxxps://s3.amazonaws[.]com/2v63r9egi46/mvhg5dhdbsolshpq
  • hxxps://u1ndk6f4nf.execute-api.us-east-1.amazonaws[.]com/page/edpetagapngkntllfcee
  • hxxps://u1ndk6f4nf.execute-api.us-east-1.amazonaws[.]com/page/zhuezqefqadrmxwahfvz
download

Tip: 93 related IOCs (2 IP, 6 domain, 10 URL, 0 email, 75 file hash) to this threat have been found.

Overlaps

Mint SandstormMint Sandstorm Subgroup Targets US Critical Infrastructure

Source: Microsoft - April 2023

Detection (one case): 57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72

TA453Broadening Horizons: TA453's New Approaches in Cyber Operations

Source: Proofpoint - December 2022

Detection (two cases): a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78, office-updates[.]info

APT42APT42's Multi-National Cyber Operations: A Focus on Surveillance and Espionage

Source: Cyware - October 2022

Detection (nine cases): 28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53, 651d72776c0394693c25b1e3c9ec55d0, a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78, aba938bf8dc5445df3d5b77a42db4d6643db4383, b7bc6a853f160df2cc64371467ed866d, bdf188b3d0939ec837987b4936b19570, c0d5043b57a96ec00debd3f24e09612bcbc38a7fb5255ff905411459e70a6bb4, e3712e3d818e63060e30aec2a6db3598cbf0db92, e45aeccb798f5cf6cb5d877821d1f4aa7f55cf6f

APT42APT42: Uncovering the Iranian Cyber Espionage Operations and Global Targets

Source: Mandiant - September 2022

Detection (nine cases): 28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53, 651d72776c0394693c25b1e3c9ec55d0, a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78, aba938bf8dc5445df3d5b77a42db4d6643db4383, b7bc6a853f160df2cc64371467ed866d, bdf188b3d0939ec837987b4936b19570, c0d5043b57a96ec00debd3f24e09612bcbc38a7fb5255ff905411459e70a6bb4, e3712e3d818e63060e30aec2a6db3598cbf0db92, e45aeccb798f5cf6cb5d877821d1f4aa7f55cf6f

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Yellow Garuda