Microsoft says that a group of Iranian-backed state hackers are targeting high-profile employees of research organizations and universities across Europe and the United States in spearphishing attacks pushing new backdoor malware.
The attackers, a subgroup of the notorious APT35 Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps, sent custom-tailored and difficult-to-detect phishing emails via previously compromised accounts.
The MediaPl malware uses encrypted communication channels to exchange information with its command-and-control server and is designed to masquerade as Windows Media Player to evade detection.
Communications between MediaPl and its C2 server use AES CBC encryption and Base64 encoding, and the variant discovered on compromised devices comes with the ability to auto-terminate, temporarily halt, retry C2 communications, and execute C2 commands using the popen function.
A second PowerShell-based backdoor malware known as MischiefTut helps drop additional malicious tools and provides reconnaissance capabilities, allowing the threat actors to run commands on the hacked systems and send the output to attacker-controlled servers.
This APT35 subset focuses on attacking and stealing sensitive data from the breached systems of high-value targets.
It is known for previously targeting researchers, professors, journalists, and other individuals with knowledge of security and policy issues aligning with Iranian interests.
Between March 2021 and June 2022, APT35 backdoored at least 34 companies with previously unknown Sponsor malware in a campaign that targeted government and healthcare organizations, as well as firms in the financial services, engineering, manufacturing, technology, law, telecommunications, and other industry sectors.
The Iranian hacking group also used never-before-seen NokNok malware in attacks against macOS systems, another backdoor designed to collect, encrypt, and exfiltrate data from compromised Macs.
Another Iranian threat group tracked as APT33 breached defense organizations in extensive password spray attacks targeting thousands of orgs worldwide since February 2023 and was also recently seen attempting to breach defense contractors with new FalseFont malware.
Iranian hackers backdoor 34 orgs with new Sponsor malware.
Charming Kitten hackers use new 'NokNok' malware for macOS. Microsoft: Hackers target defense firms with new FalseFont malware.
Hackers use new Agent Raccoon malware to backdoor US targets.
New Rust-based SysJoker backdoor linked to Hamas hackers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 17 Jan 2024 20:40:12 +0000