January 17, 2024 at 03:39PM
Microsoft warns that an Iranian hacker group, linked to the IRGC, is targeting high-profile individuals in research organizations and universities in Europe and the US using spearphishing attacks. The attackers use custom-tailored phishing emails and new backdoor malware called MediaPl to steal sensitive data and gather intelligence aligning with Iranian interests.
Key Takeaways from the Meeting Notes:
– A group of Iranian-backed state hackers, part of the APT35 Iranian cyberespionage group, have been targeting high-profile employees of research organizations and universities in Europe and the United States using spearphishing attacks.
– These attacks involved the use of new backdoor malware known as MediaPl, which masquerades as Windows Media Player to evade detection. The malware uses encrypted communication channels and can auto-terminate, temporarily halt, retry C2 communications, and execute commands using the _popen function.
– A second PowerShell-based backdoor malware, MischiefTut, was also used to drop additional malicious tools and provide reconnaissance capabilities for the attackers.
– The APT35 subset focuses on stealing sensitive data from the breached systems of high-value targets, with a history of targeting researchers, professors, journalists, and individuals with knowledge of security and policy issues aligning with Iranian interests.
– The attacks are believed to be an attempt to gather perspectives on events related to the Israel-Hamas war from individuals across the ideological spectrum.
– The APT35 group has a history of targeting various industry sectors, including government, healthcare, financial services, engineering, manufacturing, technology, law, and telecommunications.
– Another Iranian threat group, APT33, has also been active in extensive password spray attacks targeting defense organizations worldwide and attempted to breach defense contractors with new FalseFont malware.
Overall, the meeting notes illustrate a concerning pattern of sophisticated cyberattacks by Iranian threat groups targeting high-value individuals and organizations across multiple countries and industry sectors.