Iran-linked threat actors target individuals specializing in Middle East affairs, nuclear security and genomics research.
In mid-2022, Proofpoint researchers discovered cyber espionage by Iran-linked TA453 threat actors.
The event is aimed at individuals specializing in Middle East affairs, nuclear security and genomics research. Threat actors use at least two actor-controlled characters in one email thread to target their victims.
TA453 is a nation-state actor that overlaps with activities tracked as Charming Kitten, PHOSPHORUS, and APT42.
The attack chain started with phishing emails posing as legitimate individuals from Western foreign policy research institutions, including the Pew Research Center, the Foreign Policy Institute (FRPI), the UK’s Chatham House and the scientific journal Nature.
Since mid-June 2022, attackers have employed a new technique called multi-role impersonation (MPI), where they use multiple persona-controlled roles instead of one in the same email conversation to lure Convince the victim that the message is legitimate.
“In mid-2022, TA453 deployed a social engineering simulation technique informally known as multi-role impersonation, in which a threat actor uses at least two actor-controlled characters on a single email thread to convince a target of the campaign legitimacy.” Read the analysis published by Proofpoint experts. “It’s an interesting technique because it requires more resources per target — potentially burning more characters — and a coordinated approach between the various characters used by the TA453.”
TA453 begins the conversation using the guise of a message containing various questions designed to generate conversations about topics of interest in the Middle East. These questions actually serve to create an excuse for sending follow-up credential harvesting links or delivering malicious documents.
Embedded links are OneDrive links to download Microsoft Office documents.
On the day after the first email, one of the characters involved in the discussion may reply to the email thread in an attempt to determine the veracity of the request and solicit a response from the target. The second message does not contain malicious documents or links.
The document relies on remote template injection to download Korg, a malicious template consisting of three macros (Module1.bas, Module2.bas, and ThisDocument.cls) designed to collect usernames, a list of running processes, and the victim’s Public IP address.
The collected data is then leaked using the Telegram API.
“At this point, Proofpoint only observed beacon information and did not observe any subsequent exploitation capabilities. The lack of code execution or command and control capabilities in the TA453 macro is anomalous. Proofpoint judges that infected users may be software is subject to additional exploitation.” continued the report.
Proofpoint assessed TA453’s operations in support of the Islamic Revolutionary Guard Corps (IRGC), a security firm that tracks multiple subgroups of TA453, differentiated primarily by victim, technology, and infrastructure.
“TA453’s use of MPI, while state-of-the-art for the group, is likely to continue to grow and evolve as the group searches for intelligence in support of the IRGC. Proofpoint researchers are already looking at this potential next step, with TA453 attempting to send a a blank email, and then replying to the blank email while including all their “friends” on the CC line. This is most likely an attempt by a threat actor to bypass security detection.” End of report.
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – hacker, Iran)