Microsoft Threat Intelligence Center shared the results of their analysis on the evolution of Iran-linked threat actors. Over the past 12 months, MSTIC experts observed increasingly sophisticated attacks orchestrated by Iranian APT groups. The analysis focuses on six Iranian hacking groups that are increasingly utilizing ransomware to either fundraise or disrupt the computer networks of the targets.

One of the campaigns monitored by the experts and conducted by PHOSPHORUS APT group leveraged known vulnerabilities in Fortinet FortiOS SSL VPN and Microsoft Exchange Servers to deploy ransomware on vulnerable networks. 

Advertisements

“In the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).”

Microsoft Advisory

Another Iran-linked APT group analyzed by Microsoft tracked as CURIUM that was characterized by a great deal of patience in its operations. The CURIUM group leverage a network of fake social media accounts to trick the victims into installing malware.

The fake social media accounts used by the group were usually masqueraded as attractive women, the accounts were used to win the trust of the victims by chatting with them and tricking them into opening a weaponized document to start the infection process.

In October 2021, researchers at Microsoft Threat Intelligence Center and Microsoft Digital Security Unit uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.

Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.Microsoft added that password spray attacks on Office 365 accounts with multifactor authentication (MFA) enabled failed.

The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. The group was aggressive using brute force attacks to obtain access to Office 365 accounts.

DEV-0343 group was also spotted targeting the same account on the same tenant being targeted by other known Iranian threat actors tracked as Europium, a circumstance that suggests a form of coordination between the campaigns of the groups.

Advertisements

“As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:

  • Information operations
  • Disruption and destruction
  • Support to physical operations

Indicators of Compromise

IP Address

  • 91.214.124[.]143 
  • 162.55.137[.]20 
  • 154.16.192[.]70
Filename:MicrosoftOutLookUpdater[.]exe 
MD5:1444884faed804667d8c2bfa0d63ab13
SHA-1:95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A
SHA-256:c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
SHA-512:6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF
Filename:MicrosoftOutlookUpdater.bat
MD5:1A44368EB5BF68688BA4B4357BDC874F
SHA-1FA36FEBFD5A5CA0B3A1B19005B952683A7188A13
SHA-2563A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4
SHA-51270AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2
Filename:MicrosoftOutlookUpdater.xml
MD5:AA40C49E309959FA04B7E5AC111BB770
SHA-1F1D90E10E6E3654654E0A677763C9767C913F8F0
SHA-2565C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6
SHA-512E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E
Filename:GoogleChangeManagement.xml
MD5:AF2D86042602CBBDCC7F1E8EFA6423F9
SHA-1CDCD97F946B78831A9B88B0A5CD785288DC603C1
SHA-2564C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D
SHA-5126473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971
Filename:Connector3.exe
MD5:e64064f76e59dea46a0768993697ef2f
Filename:Audio.exe or frpc.exe
MD5:b90f05b5e705e0b0cb47f51b985f84db
SHA-15bd0690247dc1e446916800af169270f100d089b
SHA-256:28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
Vhash:017067555d5d15541az28!z
Authentihash:ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee
Imphash:93a138801d9601e4c36e6274c8b9d111
SSDEEP:98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U
Filename:Frps.exe
MD5:26f330dadcdd717ef575aa5bfcdbe76a
SHA-1c4160aa55d092cf916a98f3b3ee8b940f2755053
SHA-256:d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
Vhash:017057555d6d141az25!z
Authentihash:40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea
Imphash:91802a615b3a5c4bcc05bc5f66a5b219
SSDEEP:196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO