Microsoft Threat Intelligence has disclosed a highly sophisticated social engineering campaign, orchestrated by the Iran-linked threat actor Mint Sandstorm, also known as APT35 and Charming Kitten. This group, with connections to Iranian military intelligence, is targeting eminent researchers involved in the Israel-Hamas conflict, aiming to pilfer sensitive data through bespoke phishing lures.
Methodical Approach to Targeting Experts
The campaign, first identified in November 2023, is honing in on experts who potentially influence intelligence and policies significant to the Islamic Republic of Iran. Microsoft believes the campaign seeks to gather diverse perspectives on the Israel-Hamas conflict from individuals across the ideological spectrum. The primary targets include professionals at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US.
Evolving Tactics of Mint Sandstorm
Microsoft notes that Mint Sandstorm is employing new tactics, techniques, and procedures (TTP). The campaign leverages legitimate, yet compromised, email accounts to send phishing lures. The initial contact is typically made under the guise of a high-profile individual, such as a journalist from a well-known news outlet, seeking insights on the Israel-Hamas war. These emails, sometimes sent from spoofed addresses resembling personal accounts of the impersonated individuals, appear benign and are designed to establish trust.
Upon agreement from the target to review a document, a follow-up email with a link to a malicious domain is sent. These domains host a RAR archive file, ostensibly containing the requested document. When opened, this file activates a curl command, fetching a series of malevolent files from subdomains controlled by Mint Sandstorm, including glitch[.]me and supabase[.]co.
Sophisticated Intrusion Techniques
The intrusion chain leads to the deployment of backdoors on the victims' devices. Among the downloaded malicious files is a disguised version of the legitimate command line tool NirCmd, enabling various actions on the device without a user interface.
A novel custom backdoor, MediaPI, masquerading as the Windows Media Player application, has been observed. This backdoor sends AES CBC encrypted and Base64 encoded communications to Mint Sandstorm’s command-and-control (C2) server and is capable of self-termination. Furthermore, the attackers document the victims' device activities in text files, including one named documentLoger.txt.
The Microsoft team underscores the campaign's sophistication, making detection challenging for victims. “Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails,” reads the Microsoft blog Shawn Loveland, COO, Resecurity, weighed in on the potential motivations of the threat actors: "The motivations behind the actions of threat actors based in Iran can vary between geopolitical and financial gain. The specific motivation behind their actions depends on the group and actors involved. For instance, some threat actors may be driven by geopolitical issues during the day but use the same or similar TTPs at night for personal financial gain. According to a report from Microsoft, this group is only motivated by geopolitics for the specific TTPs described in the report.
Individuals and organizations are vulnerable to various threat actors, with motivations such as personal gain, fame, revenge, challenge, and even geopolitics. It is worth noting that security products and processes can take months to detect and mitigate a new campaign, exposing companies to potential attacks. Therefore, companies must establish a robust CTI practice to detect and mitigate these TTPs before they become targeted."
Recommendations for Mitigation
To counter the Mint Sandstorm campaign, Microsoft advises universities and organizations involved in Middle East research to:
Train end users to avoid clicking URLs in unsolicited messages and disclosing credentials, while being vigilant for spelling errors, spoofed app names, logos, and domain URLs.
Utilize tools capable of identifying and blocking connections to malicious domains and IP addresses.
Activate cloud-based machine learning protections to thwart new and unknown malware.
The revelation of this campaign by Microsoft serves as a stark reminder of the ever-evolving landscape of cyber threats and the need for constant vigilance and updated cybersecurity measures in sensitive sectors like international research and academia.