Iran-linked threat actors target individuals specializing in Middle Eastern affairs, nuclear security and genome research.
In mid-2022, Proofpoint researchers uncovered a cyber espionage campaign by TA453 threat actors linked to Iran.
The campaign was aimed at people specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used two or more actor-controlled characters on a single messaging thread to target their victims.
TA453 is a nation-state actor that overlaps tracked activity like Charming Kitten, PHOSPHORUS, and APT42.
The attack chain begins with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), Chatham House in UK and the scientific journal Nature.
Since mid-June 2022, attackers have used a new technique called Multi-Persona Impersonation (MPI), in which they use not one but multiple actor-controlled personas in the same email conversation to trick victims. by making them believe that the message is legitimate.
“In mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses two or more actor-controlled personas on a single thread. messaging to convince targets of the legitimacy of the campaign.” reads the analysis published by the experts at Proofpoint. “This is an intriguing technique as it requires the use of more resources per target – potentially burning through more characters – and a coordinated approach between the different personalities used by TA453.”
TA453 starts a conversation by impersonating a message that includes a variety of questions intended to generate dialogue on topics of interest in the Middle East region. The questions are actually intended to establish a pretext to send a tracking credential collection link or deliver a malicious document.
The embedded link is a OneDrive link that downloads a Microsoft Office document.
A day after the first email, one of the people involved in the discussion replied to the thread, presumably in an effort to establish the veracity of the request and solicit a response from the target. This second message does not include malicious documents or links.
The document relies on remote pattern injection to download Korg, which is a malicious pattern consisting of three macros (Module1.bas, Module2.bas, and ThisDocument.cls) designed to gather usernames, a list running processes and the public IP addresses of the victims.
The collected data is then exfiltrated using the Telegram API.
“At this time, Proofpoint has only observed markup information and has not observed any trace exploit capabilities. The lack of code execution or command and control capabilities in the TA453 macros is anomalous. Proofpoint believes that infected users may be subject to further exploitation depending on the software identified on their machines, the report continues.
Proofpoint assesses that TA453 operates in support of the Islamic Revolutionary Guard Corps (IRGC), the security company tracks several subgroups of TA453 differentiated primarily by victimology, techniques and infrastructure.
“TA453’s use of MPI, although the group’s latest technique, is likely to continue to evolve and transform as this group seeks intelligence to support the IRGC. Proofpoint researchers have already begun to observe this potential next step with TA453 attempting to send a blank email and then replying to the blank email while including all of their “friends” on the CC line. This is likely the attempt of the threat actor to bypass security detection,” the report concludes.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, Iran)