Feb 28, 2024NewsroomCyber Espionage / Malware

An Iran-nexus threat actor known as UNC1549 has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.

Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.

UNC1549 is said to overlap with Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.

“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024,” the company said. “While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide.”

The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS.

The spear-phishing emails are designed to disseminate links to fake websites containing Israel-Hamas related content or phony job offers, resulting in the deployment of a malicious payload. Also observed are bogus login pages mimicking major companies to harvest credentials.

The custom backdoors, upon establishing C2 access, act as a conduit for intelligence collection and for further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud.

While MINIBIKE is based in C++ and capable of file exfiltration and upload, and command execution, MINIBUS serves as a more “robust successor” with enhanced reconnaissance features.

“The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations,” Mandiant said.

“The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity.”

CrowdStrike, in its Global Threat Report for 2024, described how “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian’ focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023.”

This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activity against more than 20 companies’ industrial control systems (ICS) in Israel.

That said, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm has attributed to likely power and internet disruptions in the region.

Feb 19, 2024NewsroomMalware / Cyber Espionage

The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal.

Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists.

“CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content,” Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash said.

Last month, Microsoft revealed that high-profile individuals working on Middle Eastern affairs have been targeted by the adversary to deploy malware such as MischiefTut and MediaPl (aka EYEGLASS) that are capable of harvesting sensitive information from a compromised host.

The group, assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has also distributed several other backdoors such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year, emphasizing its determination to continue its cyber onslaught, adapting its tactics and methods despite public exposure.

The phishing attacks observed between September and October 2023 involved the Charming Kitten operators posing as the Rasanah International Institute for Iranian Studies (IIIS) to initiate and build trust with targets.

The phishing attempts are also characterized by the use of compromised email accounts belonging to legitimate contacts and multiple threat-actor-controlled email accounts, the latter of which is called Multi-Persona Impersonation (MPI).

The attack chains typically employ RAR archives containing LNK files as a starting point to distribute malware, with the messages urging prospective targets to join a fake webinar about topics that are of interest to them. One such multi-stage infection sequence has been observed to deploy BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, is capable of gathering basic system information, remotely executing commands relayed from a command-and-control (C2) server, and downloading and displaying a decoy PDF file.

What’s more, some of these phishing attacks are engineered to serve different backdoors depending on the machine’s operating system. While Windows victims are compromised with POWERLESS, Apple macOS victims are targeted with an infection chain culminating in NokNok via a functional VPN application that’s laced with malware.

“This threat actor is highly committed to conducting surveillance on their targets in order to determine how best to manipulate them and deploy malware,” the researchers said. “Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts.”

The disclosure comes as Recorded Future uncovered IRGC’s targeting of Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries like Iraq, Syria, and Lebanon.

The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to conceal the sponsoring entity.

They include Ayandeh Sazan Sepher Aria (suspected to be associated with Emennet Pasargad), DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and the Parnian Telecommunication and Electronic Company.

“Iranian contracting companies are established and run by a tight-knit network of personas, who, in some cases, represent the contractors as board members,” the company said. “The individuals are closely associated with the IRGC, and in some cases, are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation).”