430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Iran-linked TA453 used new Multi-Persona Impersonation technique in recent attacks

Iran-linked threat actors target individuals specializing in Middle Eastern affairs, nuclear security and genome research. In mid-2022, Proofpoint researchers uncovered a cyberespionage campaign conducted by Iran-linked TA453 threat actors. The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single […]

Multi-Persona Impersonation TA453

Iran-linked threat actors target individuals specializing in Middle Eastern affairs, nuclear security and genome research.

In mid-2022, Proofpoint researchers uncovered a cyberespionage campaign conducted by Iran-linked TA453 threat actors.

The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single email thread to target their victims.

TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.

The attack chain starts with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature.

Since mid-June 2022. the attackers employed a new technique named Multi-Persona Impersonation (MPI), wherein they used not one but several actor-controlled personas in the same email conversation to trick the victims into believing that the message is legitimate.

“In mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign.” reads the analysis published by Proofpoint experts. “This is an intriguing technique because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.”

TA453 starts a conversation masquerading using a message that includes a variety of questions intended to generate a dialogue about topics of interest in the Middle East area. The questions are actually meant to establish a pretext for sending a follow-up credential harvesting link or delivering a malicious document.

The embedded link is a OneDrive link that downloads a Microsoft Office document.

A day after the initial email, one of the personas involved in the discussion responded to the email thread likely in an attempt to establish the veracity of the request and solicit a response from the target. This second message doesn’t include malicious documents or links. 

Multi-Persona Impersonation TA453

The document relies on the remote template injection to download Korg, which is a malicious template consisting of three macros (Module1.bas, Module2.bas, and ThisDocument.cls) that are designed to gather usernames, a list of running processes, and the public IP addresses of the victims.

Gathered data are then exfiltrated using the Telegram API. 

“At this time, Proofpoint has only observed the beaconing information and has not observed any follow-on exploitation capabilities. The lack of code execution or command and control capabilities within the TA453 macros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the software identified on their machines.” continues the report.

Proofpoint assesses that TA453 operates in support of the Islamic Revolutionary Guard Corps (IRGC), the security firm tracks multiple subgroups of TA453 differentiated primarily by victimology, techniques, and infrastructure.

“The use of MPI by TA453, while the group’s latest technique, is likely to continue to evolve and morph as this group hunts for intelligence in support of the IRGC. Proofpoint researchers have already started to observe this potential next step with TA453 attempting to send a blank email, then respond to the blank email all while including all their “friends” on the CC line. This is likely the threat actor’s attempt at bypassing security detection.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]