According to scientists, Iranian state-sponsored hackers have developed a new sleazy tactic to scare individuals away from downloading malicious attachments.
Proofpoint''s cybersecurity expert has found that the TA453 threat actor, allegedly linked to the Islamic Revolutionary Guard Corps (IRGC), is engaged in multi-persona impersonation or sock-puppeting, allowing victims to take to the internet.
In other words, victims are having email conversations with themselves while allowing victims to listen on the sides, before tricking them into downloading a file that wasn''t necessarily sent to them.
Faking a conversation
Here''s how it works: the threat actors might create multiple fake email accounts, stealing the identities of scientists, directors, and others high-profile individuals. Then, theyd send an email from one of the addresses to the other, clogging the victim in the process. A day or two later, theyd reply to that email, from the second address they also shared.
If the victim is caught in the middle of an email email, they may lower their guard and gain a false sense of legitimacy about the whole thing. After a brief back-and-forth, one of the participants would send an attachment to other participants, and should the victim download and run it on their endpoints (opens in a new tab), theyd receive a.DOCX file filled with dangerous macros.
The biggest advantage of this campaign is the fact that all of the emails used in the attack are placed on large email providers, such as Gmail, Outlook, or Hotmail, instead of being on the domains of the impersonated organizations.
"The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls," researchers said. "The macros collect information such as the user''s username and list of running processes along with the user''s public IP from my-ip.io, and then exfiltrate that information using the Telegram API."
Although they couldnt confirm it, researchers believe that threats continue to exploit.