Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Iranian. Show all posts

Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.

Iran’s Atomic Energy Organization Confirms E-mail Hack

 

The Atomic Energy Organization of Iran (AEOI) has confirmed that an anonymous “foreign country” has hacked an e-mail server belonging to one of its subsidiaries and allegedly published the information online, as per reports. 

The Iranian threat actor, named ‘Black Reward’ in a statement posted on his Twitter handle says that it has released the hacked information relating to Iranian nuclear activities. The hackers describe their action as an act of support for the Iranian protesters. 

The said protests continue in Iran after the death of Mahsa Amini (22-year-old) in September, who apparently died in police custody for not following the strict Islamic dress protocol of the country. The violent protest and street violence resulted in several deaths of protesters, along with that of security force staff. Furthermore, hundreds of demonstrators have allegedly been detained. 

A statement published by the Black Reward on Saturday showing support for the protests, read “In the name of Mahsa Amini and for women, life, and freedom.”  

The hacking group threatened the Iranian state to leak the hacked documents of Tehran’s nuclear program if they would not release all the prisoners and people detained in the protests, within 24 hours. Additionally, the group demands the release of political prisoners, claiming to have leaked 50 gigabytes of internal emails, contracts and construction plans relating to the country’s Russian-sponsored nuclear power plant in Bushehr, publishing files on its Telegram channel. 

According to the statement shared by the hacking group, the released information includes “management and operational schedules of different parts of Bushehr power plant,” passport and visa details of Iran and Russia based specialists working in the power plant and “atomic development contracts and agreements with domestic and foreign partners.” 

Although the atomic energy organization’s general department of public diplomacy and information denied the relevance of the released data, stating “this move was made with the aim of attracting public attention” 

“It should be noted that the content in users’ emails contains technical messages and common and current daily exchanges […] It is obvious that the purpose of such illegal efforts, which are carried out of desperation, is to attract public attention, create media atmospheres and psychological operations, and lack any other value,” the organization confirmed.

Predatory Sparrow's Assault on Iran's Steel Industry

 

Predatory Sparrow, also known as Gonjeshke Darande, has accepted full responsibility for last month's cyberattacks on various Iranian steel factories and has now posted the first batch of top-secret papers on its Twitter account. 

The group distributed a cache of around 20 terabytes of data. It includes company paperwork revealing the steel plants' links to Iran's strong Islamic Revolutionary Guard Corps. The group stated in a series of tweets in both English and Persian that the cache was only the beginning of what will be disclosed. 

While claiming responsibility for the June 27 attack, the group also posted a photo and video purportedly showing damage to equipment at the state-owned Khouzestan Steel Company, one of Iran's biggest steel manufacturing factories. Although both the steel firm and the Iranian government denied any serious impact, sources suggest that the attack hampered industrial operations. 

The Predatory Sparrow group explained that the attacks were carried out with caution in order to safeguard innocent people. The group also stated that the hacks were in reaction to the Islamic Republic's actions. The group goes on to say that the enterprises were targeted by international sanctions and that they will continue to operate despite the limitations. 

Regardless of Predatory Sparrow's insistence that the attacks are autonomous, it is suspected that the Israeli government is supporting the hacktivist group, given the sophistication of the operation, the nature of the attacks, and the message preceding, during, and after what looks to be an attack. Aside from the steel facilities attack, the Predatory Sparrow group has claimed responsibility for other digital attacks on key Iranian targets, including the one that crippled Iran's state-controlled gasoline distribution in October 2021 and the one that hit the Iranian railway system in August 2021. While the Iranian government continues to deny the group's accusations, each cyber strike raises new concerns.

Slack API Exploited by Iranian Threat Actor to Attack Asian Airline

 

According to IBM Security X-Force, the Iran-linked advanced persistent threat (APT) attacker MuddyWater has been discovered establishing a backdoor that exploits Slack on the network of an Asian airline. 

The hacking gang, also known as MERCURY, Seedworm, Static Kitten, and ITG17, predominantly targets throughout the Middle East and other regions of Asia. 

MuddyWater successfully infiltrated the networks of an undisclosed Asian airline in October 2019, according to IBM X-Force, with the detected activities continuing into 2021. 

According to IBM's security researchers, the adversary used a PowerShell backdoor named Aclip, which uses a Slack communication API for command and control (C&C) operations such as communication and data transmission. 

Provided that numerous different Iranian hacking groups got access to the very same victim's infrastructure in far too many cases, IBM X-Force suspects that the other adversaries were also associated in this operation, particularly considering that Iranian state-sponsored malicious actors have already been targeting the airline industry – primarily for monitoring purposes – for at least a half-decade. 

A Windows Registry Run key has been exploited in the observed event to permanently perform a batch script, which then runs a script file (the Aclip backdoor) using PowerShell. The malware could collect screenshots, acquire system information, and exfiltrate files after receiving commands via attacker-created Slack channels. 

The attacker guarantees that malicious traffic mixes in along with regular network traffic while using Slack for communication. Other virus groups have also leveraged the collaborative application for similar objectives. 

Following notification of the malicious activities, Slack initiated an investigation and removed the reported Slack workspaces. 

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

IBM's researchers are certain that the malicious actor is behind the activities based on custom tools used throughout the attack, TTP overlaps, used infrastructure, and MuddyWater's previous targeting of the transportation sector.

Telecom Industries Targeted by Hackers in Middle East and Asia

 

According to analysts, criminals attacking telcos in the Middle East and Asia over the last six months have been connected to Iranian state-sponsored cybercriminals. Cyberespionage tactics use a potent combination of spear phishing, recognized malware, and genuine network tools to steal sensitive information and potentially disrupt supply chains. 

Analysts detailed their results in a study released on Tuesday, claiming that attacks are targeting a variety of IT services firms as well as utility companies. As per a report issued by Symantec Threat Hunter Team, a subsidiary of Broadcom, malicious actors seem to obtain access to networks via spear-phishing and then steal passwords to migrate laterally. 

“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. 

However the hackers' identities are unknown, analysts believe they may be associated with the Iranian organization Seedworm, also known as MuddyWater or TEMP.Zagros. In the past, this organization has conducted significant phishing efforts targeting enterprises in Asia and the Middle East to steal passwords and gain resilience in the target's networks. 

Researchers discovered two IP addresses used throughout the operation that had already been related to Seedworm activity, as well as some tool overlap, particularly SharpChisel and Password Dumper, they claimed. Whilst there has already been threat activity from Iran against telcos in the Middle East and Asia—for instance, the Iranian Chafer APT targeted a major Middle East telco in 2018—a Symantec spokesperson termed the action detailed in the report "a step up" in its focus as well as a prospective harbinger of larger attacks to come. 

According to the analysts, a conventional attack in the latest campaign started with attackers penetrating a specified network and then trying to steal passwords to move laterally so that web shells could be launched onto Exchange Servers. 

Researchers dissected a particular attack launched in August on a Middle Eastern telecom provider. According to the experts, the first sign of penetration, in that case, was the development of a service to execute an unidentified Windows Script File (WSF). 

Scripts were then utilized by attackers to execute different domain, user discovery, and remote service discovery commands, and PowerShell was ultimately utilized to download and execute files and scripts. According to analysts, attackers also used a remote access tool that purported to query Exchange Servers of other firms. 

According to the researchers, attackers were interested in leveraging some hacked firms as stepping stones or just to target organizations other than the first one to build a supply-chain attack. 

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.

Agrius – The Iranian Hacking Group Targets Israel Using Data Wipers

 

The hacking community of Agrius has switched from a strictly destructive wiper malware to a mix of wiper and ransomware functions — and pretends to keep data till the end of attacks. 

SentinelOne investigators announced on Tuesday that Agrius was the first to be found in attacks targeting Israeli groups in 2020, evaluating the threat group's new movements. 

The community utilizes a mixture of its customized toolkits and offensive security software, readily accessible, to deploy either a malicious wiper or a custom wiper-turned-ransomware variant. The attackers asked the targets to pay the ransom to simulate a ransomware attack to conceal the true nature of the attack. 

The Agrius Community has been functioning since the beginning of 2020, as per the experts. Initially targeted aggression in the Middle East area, Agrius expanded its presence since December 2020 to the Israeli targets. 

But unlike the other ransomware groups like Maze and Conti, Agrius doesn't seem to rely on money—instead, ransomware is indeed a recent addition and a boost to the cyber-espionage- and destruction-oriented attacks.

Moreover, Agrius claimed to be robbing and encrypting information for extorting victims in many of the attacks identified by SentinelOne only when the wiper was deployed, however, this information had already been lost. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers said. 

Throughout the initial stages of the attack, Agrius uses tools for the virtual private network (VPN) software, also accessing publicly available applications and services that correspond to its intended target, often via compromised accounts and security vulnerabilities, before trying to exploit them. 

Agrius' toolkit consists of Deadwood, a malicious wiper malware strain, which is also referred to as Detbosit. Deadwood, assumed to be the APT33 work, was related to attacks against Saudi Arabia during 2019. 

The wipers, like Deadwood, Shamoon, and ZeroCleares, have also been linked to APT33 and APT34. 

During attacks, Agrius also drops the IPsec Helper, a custom.NET backdoor to bind to a command-and-control (C2) server. Moreover, a new .NET wiper known as an Apostle is being thrown away. 

Apostle seems to have been upgraded and changed to include usable modules in a recent attack towards state-owned facilities in the United Arab Emirates. Nevertheless, the team argues, that it is not the financial attraction Agrius focuses on throughout development but the disruptive aspects of ransomware — such as the ability to encrypt data. 

SentinelOne claims no "solid" links have indeed been developed with other established threat groups but because of the involvement of Agrius in Iranian issues, the deployment of web-based shells related to variants produced by the Iranians, and the primary use of wipers – an attack tactic linked to Iranian APTs since 2002 – indicated that the group is likely to originate in the Iranian Republic.