Hackers linked to the Iranian government have targeted individuals specializing in Middle Eastern affairs, nuclear security and genome research as part of a new social engineering campaign designed to solicit sensitive information.
Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor called TA453, which broadly matches cyber activities monitored under the names APT42, Charming Kitten and Phosphorus.
It all begins with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that is ultimately designed to gather intelligence on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC).
The puppet accounts include people from the Pew Research Center, the Foreign Policy Research Institute (FRPI), the UK’s Chatham House and the science journal Nature. The technique is said to be set for mid-June 2022.
However, what sets this apart from other phishing attacks is the use of a tactic called Multi-Persona Proofpoint Impersonation (MPI), where the threat actor employs not one, but several actor-controlled personas in the same email conversation to strengthen the chances of success.
The idea is to “use the psychological principle of social proof” and increase the authenticity of the threat actor’s correspondence so that the target buys into the scheme, a tactic that demonstrates the adversary’s continued ability to raise its game.
“This is an intriguing technique because it requires more resources to be used per target — potentially burning more people — and a coordinated approach between the different personalities in use by TA453,” said Sherrod DeGrippo, vice president of research and discovery. of threats in Proofpoint. in a statement.
After the initial email elicits a response from the target, the person then sends a follow-up message containing a malicious OneDrive link that downloads a Microsoft Office document, one of which allegedly alludes to a clash between Russia and the US.
This document then uses a technique called remote template injection to download Korg, a template consisting of three macros that are capable of collecting usernames, a list of running processes, and public IP addresses of victims.
Apart from the exfiltration of beacon information, no other post-exploitation actions were observed. The “abnormal” lack of code execution and command-and-control behavior has led to an assessment that compromised users may be subject to further attacks based on installed software.
This is not the first time the threat actor has undertaken impersonation campaigns. In July 2021, Proofpoint discovered a phishing operation called SpoofedScholars that targeted individuals focused on Middle Eastern issues in the US and UK under the guise of scholars with the University of London’s School of Oriental and African Studies (SOAS).
Then, in July 2022, the cybersecurity company discovered attempts by TA453 to masquerade as journalists to lure academics and policy experts to click on malicious links that redirect targets to credential harvesting domains .
The latest disclosure comes amid a flurry of cyber activity linked to Iran. Last week, Microsoft completed a string of ransomware attacks mounted by a Phosphorus subset called DEV-0270 using binaries that live abroad, such as BitLocker.
Additionally, cybersecurity firm Mandiant, which is now officially part of Google Cloud, detailed the activities of an Iranian espionage actor codenamed APT42, which has been linked to over 30 operations since 2015.
Most notably, the Treasury Department announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and its Intelligence Minister, Esmaeil Khatib, in response to “cyber-enabled activities against the United States and its allies.”
Albania, which has severed diplomatic relations with Iran after blaming it for a series of cyber attacks since July, pointed fingers at the “same aggressors” over the weekend for carrying out another attack on a government system used to track border crossings.
“State-linked threat actors are some of the best at crafting well-thought-out social engineering campaigns to reach their intended victims,” DeGrippo said.
“Researchers involved in international security, especially those specializing in Middle East studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails.”
