Posted on April 27, 2023 at 7:49 AM
Iranian hackers target Israelis using sophisticated hacking techniques
An Iranian threat actor group, “Educated Manticore,” has been linked to several cyberattacks targeting Israelis. These hackers have deployed a new version of malware that other renowned threat actor groups in Iran also use.
Iranian hackers conduct cyberattacks targeting Israelis
Besides this popular malware, Iranian hackers are also using other hacking strategies rarely seen in the wild. This hacking activity was reported by a cybersecurity company known as Check Point.
The cyberattacks conducted by this hacking group were first detected in January this year. At the time, two people using Israeli IP addresses submitted a compromised malicious file to VirusTotal. The latter is a database that tracks computer viruses detected in the wild.
The malicious file is an ISO file named “Iraq development resources.” The ISO file contains many files, with some of them being in PDF. These files have been written in multiple languages, such as Arabic, English, and Hebrew. They also contain academic content on Iraq.
The research by Check Point said that the activity displayed in these hacking attacks showed that the hackers were targeting academic researchers. The ISO file also contains three folders. One of the folders contains a Jpeg labeled “zoom.jpg.” one of the other files contains the same file but has been encrypted.
One of the files has been labeled “Iraq development resources.” This file contains a symbol showing that it is a folder when it is actually an executable file. When this file has been launched, the actual malware will be deployed.
Those who follow the .exe file will see this file being decrypted and execute a downloader from the zoom.jpg file. The .exe file also comes with a junk code that will trick users while avoiding detection by the anti-virus software.
The downloader also comes with junk code and will download malware known as “PowerLess. This downloader will serve as a backdoor for the hackers, who will use it to access the affected computer.
The PowerLess tool was previously used by a cluster of Iranian hackers known as Mint Sandstorm. This hacking group also goes by other names, such as Phosphorous, APT35, APT42, TA453, and Charming Kitten. However, the version detected in the file used by Educated Manticore has been updated to contain new functionalities.
The new version of the PowerLess tool comes with a .NET binary code assembled in mixed mode, showing that it contains the C++ code and .NET. The mixed mode reportedly boosts the functionality of this tool while also making the malicious activity challenging to detect.
The version of the PowerLess that the Phosphorous hacking group uses could execute commands and download files. It could also shut down processes and steal browser dataAZXD. The new version can also display a list of files and processes. It can also steal data from the Telegram messaging app on PCs, take screenshots, and record audio.
Check Point also detected other attacks that used files known as “Iraq-project.rar” and “SignedAgreement.zip. The files are associated with the “Iraq development resources” ISO file breach. The three files do not have a clear technical overlap and have all been themed around Iraq. The attacks also use similar open-source software to load programs.
Educated Manticore hacking group
In its new report, Check Point said that in recent years, two clusters of cyber activity have been associated with Iran. One of the clusters is popularly known as Nemesis Kitten, TunnelVision, or Cobalt Mirage. The other cluster is known as APT35, Charming Kitten or Phosphorous. These clusters share similar tools, but they have different targets, and they operated differently.
The activity of the two clusters has significantly evolved, and it has become harder to distinguish between the two groups. The report by Check Point said that there was a lack of sufficient evidence to link the activity of the PowerLess backdoor within either of these two clusters. Therefore, the researchers tracked the activity separately from the two clusters and used a new naming technique.
Using the new naming convention Check Point labelled the threats as mythical creatures. The threats originating from Iranian hackers have been named as “manticores”. The targets appear to be academic in nature according to the recently tracked activity. Because of targeting the education sector, the researchers have labelled the threat actor behind this campaign as Educated Manticore.