A wave of cyber attacks is looming over scientists in Europe and the United States.
Microsoft warns about targeted cyber attacks by Iranian hackers on high-ranking employees of research organizations and universities in Europe and the United States. The attacks are carried out using phishing and the new MediaPl malware.
Microsoft attributed the activity to the Iranian cyber espionage group APT35 (Charming Kitten, Phosphorus, Mint Sandstorm), associated with the Islamic Revolutionary Guard Corps (IRGC), whose members use specially prepared and difficult to detect phishing emails sent through previously compromised accounts.
Since November 2023, experts have observed how a specific group of Mint Sandstorm (Phosphorus) targets outstanding Middle East specialists at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom and the United States.
Mint Sandstorm Attack Chain
During the campaign, the Mint Sandstorm group used social engineering to manipulate victims and force them to upload malicious files. In some cases, the use of new tools after hacking was detected, including the MediaPl backdoor.
MediaPl uses encrypted communication channels to exchange information with the Command and Control server (C2) and disguises itself as Windows Media Player to avoid detection.
Communication between MediaPl and its C2 server is performed using AES encryption and Base64 encoding, and the version detected on compromised devices has the ability to automatically shut down, temporarily suspend its work, re - establish communication with C2, and execute C2 commands using the popen function.
The second PowerShell-based malware, known as MischiefTut, helps install additional malicious tools and has intelligence capabilities, allowing attackers to run commands on compromised systems and send the results to hackers ' servers.
Microsoft notes that people who work or have influence over the intelligence and political community are attractive targets for cybercriminals seeking to gather intelligence for their government. Based on the specific goals of this campaign, and the use of decoys related to the conflict in Israel, it can be assumed that the campaign is an attempt to gather opinions on current events from people of any ideological spectrum.
Microsoft warns about targeted cyber attacks by Iranian hackers on high-ranking employees of research organizations and universities in Europe and the United States. The attacks are carried out using phishing and the new MediaPl malware.
Microsoft attributed the activity to the Iranian cyber espionage group APT35 (Charming Kitten, Phosphorus, Mint Sandstorm), associated with the Islamic Revolutionary Guard Corps (IRGC), whose members use specially prepared and difficult to detect phishing emails sent through previously compromised accounts.
Since November 2023, experts have observed how a specific group of Mint Sandstorm (Phosphorus) targets outstanding Middle East specialists at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom and the United States.
Mint Sandstorm Attack Chain
During the campaign, the Mint Sandstorm group used social engineering to manipulate victims and force them to upload malicious files. In some cases, the use of new tools after hacking was detected, including the MediaPl backdoor.
MediaPl uses encrypted communication channels to exchange information with the Command and Control server (C2) and disguises itself as Windows Media Player to avoid detection.
Communication between MediaPl and its C2 server is performed using AES encryption and Base64 encoding, and the version detected on compromised devices has the ability to automatically shut down, temporarily suspend its work, re - establish communication with C2, and execute C2 commands using the popen function.
The second PowerShell-based malware, known as MischiefTut, helps install additional malicious tools and has intelligence capabilities, allowing attackers to run commands on compromised systems and send the results to hackers ' servers.
Microsoft notes that people who work or have influence over the intelligence and political community are attractive targets for cybercriminals seeking to gather intelligence for their government. Based on the specific goals of this campaign, and the use of decoys related to the conflict in Israel, it can be assumed that the campaign is an attempt to gather opinions on current events from people of any ideological spectrum.
