Attackers backed by the Iranian government continue to engage in social engineering campaigns targeting researchers, impersonating US think tanks.
In a report shared with The Hacker News, the Secureworks Counter Threat Unit (CTU) said, “It is noteworthy that the targets in this case were all women actively involved in political affairs and human rights in the Middle East. worth it,” he said.
Cybersecurity firms attribute this activity to the hacking group they are tracking. cobalt illusionand is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda.
The targeting of academics, activists, diplomats, journalists, politicians, and researchers by threat actors has been well documented over the years.
The group is suspected of operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and has shown a pattern of using fake personas to contact individuals of strategic interest to the government.
“It is common for Cobalt Illusion to interact with its targets multiple times via different messaging platforms,” said SecureWorks. “Threat actors first send benign links and documents to build trust, then send malicious links or documents to phish for credentials on systems that Cobalt Illusion is trying to access. increase.”
Its main tactics include leveraging credential harvesting to gain control of victim mailboxes and custom tools such as HYPERSCRAPE (aka EmailDownloader) to use stolen passwords to compromise Gmail, Yahoo! , and stealing data from Microsoft Outlook accounts.
Another bespoke malware linked to this group is a C++-based Telegram “grabber” tool that facilitates large-scale data collection from Telegram accounts after obtaining the target’s credentials.
The latest activity involves adversaries impersonating employees of the Atlantic Council, a US-based think tank, and reaching out to political and human rights researchers under the pretext of contributing to a report.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
To make this ruse compelling, social media accounts associated with the deceptive “Sara Shokouhi” persona (@SaShokouhi on Twitter and @sarashokouhii on Instagram) hold a doctorate in Middle East politics. claimed to be.
Additionally, SecureWorks said the profile pictures for these accounts were taken from the Instagram account of a Russian-based psychologist and tarot card reader.
Whether this effort succeeds in a phishing attack is not immediately known. Created in October 2022, the Twitter account is still active, as is the Instagram account.
“Phishing and mass data harvesting are key tactics of Cobalt Illusion,” said Rafe Pilling, SecureWorks CTU Principal Scientist and Iran Theme Lead, in a statement.
“The group is doing information gathering, often human-focused, including extracting the contents of mailboxes, contact lists, travel plans, relationships, physical locations, etc. This information may be mixed with other sources and used to inform Iran’s military and security operations, both foreign and domestic.”
