A Cyber Group in Iran Targets Middle East Tech Sectors

A Cyber Group in Iran Targets Middle East Tech Sectors

An Iranian-affiliated gang is at the center of cyberattacks on the Middle East’s technological, logistics, and transportation industries, especially Israel. These attacks are linked by CrowdStrike to a threat actor called Imperial Kitten, which is also known by the names Crimson Sandstorm (previously Curium), Tortoiseshell, and Yellow Liderc. The latest findings from CrowdStrike supplement previous reports from PwC, Mandiant, and ClearSky. In the latter, examples of strategic web breaches—also referred to as watering hole attacks—that resulted in the installation of IMAPLoader on hacked computers were described.

The adversary, which has been active since at least 2017, is thought to support Iranian strategic intelligence needs related to IRGC activities, according to CrowdStrike’s technical analysis. The way the group operates is by using social engineering, with information related to job recruitment, to distribute personalized.NET implants. The attack chains leverage hijacked websites, particularly those associated with Israel, to identify visitors with custom JavaScript code, which is then exfiltrated to attacker-controlled domains. Imperial Kitten is accused of using a number of strategies in addition to watering hole assaults, such as phishing, one-day exploits, credentials theft, and targeting upstream IT service providers for first access.

The adversary’s phishing attacks make use of Microsoft Excel documents that have macros embedded in them. These macros function as the start of the infection chain, causing a Python-based reverse shell to be launched and connected to a predefined IP address in order to receive additional commands.

Notable post-exploitation actions after a successful infiltration include lateral movement made possible by programs like NetScan and PAExec, the open-source version of PsExec. The delivery of the standard keyboard and IMAPLoader implants aligns with this.

Since the war began on October 7, 2023, Microsoft has seen that harmful cyber activity ascribed to Iranian forces is increasingly opportunistic and reactive. Microsoft claims that Iranian operators continue to use their tried-and-true strategies, particularly in inflating the effectiveness of their cyberattacks and promoting these assertions and actions via a coordinated information operations deployment. 

Read also:

Islah Ejaz is a real tech fanatic who has been writing for tech since 2016. His insights in tech are remarkable, as he keeps a close eye on the latest tech innovations & inventions, news, updates, and releases. Binge-watching series and listening to podcasts is what keeps him firm. He is also a gaming enthusiast, and gaming gives him the ultimate pleasure.