Posted on September 15, 2022 at 8:28 AM
An Iranian hacking syndicate has been seen using a new sophisticated phishing method to lure its targets with multiple email accounts and personas. According to the report, the threat actors are luring their targets and making them believe that the email is from a genuine source.
The threat actors send emails to their targets and add another email address under their control on the CC space, and then respond from that email. This enables the attackers to engage in a fake conversation.
The Attackers Use The Psychological Principle Of “Social Proof”
Researchers at Proofpoint have named the campaign “multi-persona impersonation” (MPI). They discovered the attack and stated that the method utilizes the psychological principle of “social proof” to obscure logical thinking. Additionally, they add some elements to the phishing threads to make them trustworthy and genuine enough to deceive targets.
The threat actors are believed to be the TA453, an Iranian hacking syndicate that operates from within the Islamic Revolutionary Guard Corps (IRGC). The group has been previously seen targeting policy experts and academics in the Middle East by impersonating journalists.
The Hackers Are Targeting Institutions
The new strategy for TA453 requires more work from the hacker’s side before they can successfully carry out an attack. Each target needs to be engaged in a realistic conversation held by sock puppets or fake personas. But the additional effort is worth it due to the gain they finally might have. It creates a realistic-looking exchange of emails, which makes the conversation look genuine.
Proofpoint shared details of a report in June this year, with the sender masquerading as the Director of Research at FRPI. They sent fake emails that targeted users and CCing a Director of Global Attitudes Research at the PEW Research Center.
Barely 24 hours after the mail was sent, the impersonated PEW director responded to the questions delivered to the FRPI director. This created a false sense, making it look like an honest conversation that entices targets to join.
Proofpoint also pointed out another case that involved scientists specializing in general research. In this example, the CCed persona replied using a OneDrive link that resulted in the downloading of a DOCX document, with malicious macros planted in the document.
In another MPI phishing attack orchestrated by TA453, two academics that specialize in nuclear arms control were the targets. According to Proofpoint, the hackers CCed three personas as they decided to go for an even more sophisticated attack.
The Hackers Used Personal Email Addresses
The hackers utilize similar attack methods in all of these cases, the researchers noted. The threat actors used personal email addresses (Hotmail, AOL, Outlook, Gmail) for the senders and the CCed personas rather than the usual addresses from the institutions they are impersonating. This is where the researchers suspected the activities of the hackers.
If it was from a genuine institution, they would be using their webmail address to pass any information across. But since the hackers do not have access to those emails, they chose to use personal email addresses. Although a very keen observer would spot this difference, the threat actors still manage to deceive some users.
Documents used to deceive targets to download through OneDrive links in TA453 were password-protected files that execute template injection. The report revealed that the downloaded template Proofpoint calls Korg has three distinct macros: ThisDocument.cls, Module2.bas, and Module1.bas.
Macros gather information such as the target’s username, public IP, and a list of running processes from the targeted system. After gathering the details, it exfiltrates data using the Telegram API.
However, the Proofpoint researchers were unable to go past the reconnaissance info beaconing stage. They believe that there are exploitations in subsequent steps that provide threat execution capabilities to the remote threat actors.
Sock puppets are detailed-created fake social media accounts that hide their true accounts. They are generally fictitious persona profiles created by someone whose goal is to make the target believe they are communicating with a genuine contact. They are usually part of an OSINT Social Engineering technique.
These accounts are used by detectives, investigators, journalists, and the police to hide their identities when carrying out certain actions. However, they are also used by hackers to deceive their targets. Researchers have asked users to be wary of these types of attacks and look for signs that they are being targeted by threat actors.