Malware hunters at Microsoft on Wednesday warned that an APT with known links to Iran’s military intelligence has been impersonating a prominent journalist to trick a specific set of people into downloading malicious files.
The bespoke spear-phishing attacks, ongoing since November last year, are targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States.
According to Redmond’s documentation of the discovery, the so-called ‘Mint Sandstorm’ hackers are “patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails.”
“This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran,” Microsoft said.
In some instances of this campaign, Microsoft researchers caught the hackers using legitimate but compromised accounts to send phishing lures, and utilization of the Client for URL (curl) command to connect to its command-and-control (C2) server.
The APT has been caught masquerading as high-profile individuals, including as an unidentified journalist at a reputable news outlet. “In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war,” Microsoft said.
“In other cases, [they] used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any malicious content.”
“This tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the use of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with targets and establish a level of trust before attempting to deliver malicious content to targets,” the company said.
Microsoft said the hacking team found success at certain targets that agreed to review the article or document referenced in the initial email. “[The hackers] followed up with an email containing a link to a malicious domain,” the researchers said, warning that follow up messages directed targets to sites hosting a RAR archive (.rar) file that purported to contain the draft document targets were asked to review.
“If opened, this .rar file decompressed into a double extension file (.pdf.lnk) with the same name. When launched, the .pdf.lnk file ran a curl command to retrieve a series of malicious files from attacker-controlled subdomains,” Microsoft said.