An Iranian-affiliated gang is at the center of cyberattacks on the Middle East’s technological, logistics, and transportation industries, especially Israel. These attacks are linked by CrowdStrike to a threat actor called Imperial Kitten, which is also known by the names Crimson Sandstorm (previously Curium), Tortoiseshell, and Yellow Liderc. The latest findings from CrowdStrike supplement previous reports from PwC, Mandiant, and ClearSky. In the latter, examples of strategic web breaches—also referred to as watering hole attacks—that resulted in the installation of IMAPLoader on hacked computers were described.
The adversary’s phishing attacks make use of Microsoft Excel documents that have macros embedded in them. These macros function as the start of the infection chain, causing a Python-based reverse shell to be launched and connected to a predefined IP address in order to receive additional commands.
Notable post-exploitation actions after a successful infiltration include lateral movement made possible by programs like NetScan and PAExec, the open-source version of PsExec. The delivery of the standard keyboard and IMAPLoader implants aligns with this.
Since the war began on October 7, 2023, Microsoft has seen that harmful cyber activity ascribed to Iranian forces is increasingly opportunistic and reactive. Microsoft claims that Iranian operators continue to use their tried-and-true strategies, particularly in inflating the effectiveness of their cyberattacks and promoting these assertions and actions via a coordinated information operations deployment.