Các bài viết liên quan:
Hackers linked to the Iranian government have targeted individuals specializing in Middle Eastern affairs, nuclear security, and genomics research as part of the campaign. social engineering Newly designed to hunt for sensitive information.
Enterprise security firm Proofpoint attributes the targeted attacks to a threat agent known as TA453, which often overlaps with monitored network activities under the pseudonyms APT42, Charming Kitten. and Phosphorus.
It all started with a phishing email impersonating legitimate individuals at Western foreign policy research institutions, ultimately designed to gather intelligence on behalf of the Revolutionary Guard Corps. Iranian Islamic Network (IRGC).
Impersonators include people from the Pew Research Centre, the Foreign Policy Research Institute (FRPI), the UK’s Chatham House and the science journal Nature. The technique is said to have been deployed in mid-June 2022.
What sets it apart from other phishing attacks is the use of a Proofpoint tactic called Multiple Personality Impersonation (MPI), where the threat agent uses not one but several characters played by the actor. control in the same email conversation to increase your chances of success.
The idea is to “take advantage of the psychological principle of social proof” and increase the authenticity of the threat agent’s correspondence to get the target to buy into the scheme, a tactic that demonstrates the ability to further promote opponent’s game.
“This is a fascinating technique because it requires more resources to be used on each target – potentially igniting more personalities – and a coordinated approach between different personalities is used by TA453 use,” Sherrod DeGrippo, vice president of research and threat detection at Proofpoint, said in a statement.
When the email initially elicits a response from the target, the personality then sends a follow-up message containing a malicious OneDrive link that downloads a Microsoft Office document, one of which alludes to a crash. between Russia and the US.
The document then uses a technique known as remote template insertion to download Korg, a template consisting of three macros capable of collecting usernames, a list of running processes, and public IP addresses. victim’s statement.
Besides filtering the signaling information, no other post-exploit actions were observed. The lack of “abnormalities” in code execution and command-and-control behavior has led to the assessment that compromised users may be subject to further attacks based on installed software.
This is not the first time that a threat actor has carried out impersonation campaigns. In July 2021, Proofpoint revealed a phishing operation called SpoofedScholars targeting individuals focusing on Middle East issues in the US and UK under the guise of School of Research scholars. East and Africa (SOAS) by University College London.
Then in July 2022, the company network security discovered TA453’s attempts to masquerade as journalists to lure academics and policy experts to click on malicious links that redirect targets to credential-collecting domains.
The disclosure comes amid an explosion of Iran-related cyber activity. Last week, Microsoft ended a string of ransomware attacks mounted by a subgroup of Phosphorus named DEV-0270 using live binaries like BitLocker.
In addition, the company network security Mandiant, now an official part of Google Cloud, detailed the activities of an Iranian spy codenamed APT42 that has been linked to more than 30 activities since 2015.
On top of that, the Ministry of Finance announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and the country’s Intelligence Minister, Esmaeil Khatib, in response to “air-activated activities” cyber against the United States and its allies.”
Albania, which has severed diplomatic ties with Iran after blaming it for a series of cyberattacks since July, pointed the finger at “aggressors” over the weekend for having launched another attack on a government system used to monitor border crossings.
“State-linked threats are some of the best at crafting well-thought-out social engineering campaigns to reach the victims they desire,” DeGrippo said.
“Researchers involved in international security, especially those specializing in Middle East or nuclear security studies, should maintain a heightened sense of vigilance when receiving unsolicited emails.”
.
