Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States.
Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails.
Mint Sandstorm continues to improve and modify the tooling used in targets' environments, activity that might help the group persist in a compromised environment and better evade detection.
Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps, an intelligence arm of Iran's military.
Microsoft attributes the activity detailed in this blog to a technically and operationally mature subgroup of Mint Sandstorm that specializes in gaining access to and stealing sensitive information from high-value targets.
In this blog, we share our analysis of the new Mint Sandstorm tradecraft and provide detection, hunting, and protection information.
Organizations can also use the mitigations included in this blog to harden their attack surfaces against the tradecraft observed in this and other Mint Sandstorm campaigns.
Microsoft observed new tactics, techniques, and procedures in this Mint Sandstorm campaign, notably the use of legitimate but compromised email accounts to send phishing lures, use of the Client for URL command to connect to Mint Sandstorm's command-and-control server and download malicious files, and delivery of a new custom backdoor, MediaPl.
In this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable news outlet.
In other cases, Mint Sandstorm used legitimate but compromised email accounts belonging to the individuals they sought to impersonate.
If targets agreed to review the article or document referenced in the initial email, Mint Sandstorm followed up with an email containing a link to a malicious domain.
In other cases, Mint Sandstorm created a scheduled task to reach out to an attacker-controlled supabase[.
Activity observed in this campaign suggests that Mint Sandstorm wrote activity from targets' devices to a series of text files, notably one named documentLoger.
In addition to the activity detailed above, in some cases, Mint Sandstorm dropped MischiefTut or MediaPl, custom backdoors.
The ability to obtain and maintain remote access to a target's system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.
In light of the patience, resources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to update and augment our detection capabilities to help customers defend against this threat.
Microsoft recommends the following mitigations to reduce the impact of activity associated with recent Mint Sandstorm campaigns.
Microsoft Defender XDR customers can also turn on attack surface reduction rules to harden their environments against techniques used by this Mint Sandstorm subgroup.
Alerts with the following titles in the Security Center can indicate threat activity related to Mint Sandstorm.
Use this query to locate the curl command Mint Sandstorm used to pull down malicious files in this campaign.
This Cyber News was published on www.microsoft.com. Publication date: Thu, 18 Jan 2024 17:13:04 +0000