November 14, 2023 at 05:21AM
Middle Eastern government entities are under attack from phishing campaigns deploying a new initial access downloader called IronWind. The campaigns, attributed to the threat actor TA402, have been active between July and October 2023. TA402, also known as Molerats, Gaza Cyber Gang, and APT-C-23, is a Middle Eastern APT group focused on intelligence collection. IronWind is distributed through Dropbox links, XLL file attachments, and RAR archives. The group employs compromised email accounts, phishing lures, and geofencing techniques to complicate detection efforts. TA402 continues to target government entities in the Middle East and North Africa with sophisticated attacks.
Takeaways from the meeting notes:
1. Government entities in the Middle East have been targeted by new phishing campaigns that deliver a malware downloader called IronWind.
2. The threat actor responsible for these campaigns is tracked by Proofpoint as TA402, also known as Molerats, Gaza Cyber Gang, and APT-C-23.
3. TA402 is a Middle Eastern advanced persistent threat (APT) group with a focus on intelligence collection and has shown sophisticated cyber espionage capabilities.
4. IronWind is distributed through Dropbox links, XLL file attachments, and RAR archives.
5. TA402 uses compromised email accounts, including one from the Ministry of Foreign Affairs, to send phishing emails with Dropbox links.
6. IronWind contacts an attacker-controlled server to obtain additional payloads, including a post-exploitation toolkit called SharpSploit.
7. TA402 employs social engineering tactics, such as XLL file and RAR archive attachments, to deploy IronWind.
8. The group also uses geofencing techniques to complicate detection efforts.
9. Despite the ongoing conflict in the Middle East, TA402 continues to operate and adapt with new delivery methods.
10. Cybercriminals have recently exploited the “Release scores” feature of Google Forms quizzes to orchestrate cryptocurrency scams. These emails originate from Google’s servers, making it easier for them to bypass anti-spam protections.
Please let me know if you need any further information.