The attack group known as APT35, linked to the Iranian government, is leveraging a legitimate function from messaging platform Telegram to track when its phishing pages have been visited by potential victims.
Google’s threat analysis group on Thursday outlined the activity in an overview of new techniques being used by APT35, also known as Phosphorus. Google researchers said that the attack group, known for sending phishing emails to high-value accounts associated with government and national defense, embedded javascript into their phishing landing pages that would notify them when the pages are loaded.
Attackers used the Telegram API sendMessage function, which allows anyone to use a Telegram bot to send a message to a public Telegram channel, in order to track this information.
“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time,” Ajax Bash with Google’s threat analysis group said.
Google researchers said that they have detected several campaigns from APT35 this past year. In July, the group was seen attempting to distribute spyware on various platforms. This comes on the heels of the attackers attempting to upload spyware to the Google Play Store in May 2020 via an app disguised as VPN software. The app, which was detected and removed from Google Play before users could install it, would have allowed attackers to steal sensitive data from victims - including call logs, text messages and location data.
APT35 also compromised a website affiliated with a UK university in order to host a phishing kit in early 2021. The attackers then sent various Gmail, Hotmail and Yahoo users phishing emails with links to the website, pretending that the links were invitations to a webinar. Upon clicking the link, victims were asked to enter their credentials in order to activate the invitation.
“The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time.”
Researchrs have tracked APT35 operations since at least 2014. In 2019, Microsoft researchers said that the group was targeting email accounts belonging to U.S. government officials and people associated with the 2020 presidential campaign. APT35 was also dealt a blow in 2019 when Microsoft announced it took over the group’s infrastructure, assuming control of 99 domains that attackers used in their campaigns.
Previously, Google has also observed APT35 impersonate high-level profiles as part of a lure for their phishing attacks. For instance, the attackers previously sent emails purporting to be conference officials for the Munich Security conference and the Think-20 (T20) conference. In these campaigns, APT35 sent initial emails to the recipients without any malicious link or attachment as a way to gain their trust; then, when the targets responded, attackers sent them phishing links in follow-on correspondence.
“Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files,” said Bash. “We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.”
So far this year, Google has seen a spike in the warnings that it sends end users if their accounts are targeted (not necessarily compromised) by government-backed phishing or malware attempts. These have come in part from attackers like APT35, as well as the Russian actor APT28, also known as Fancy Bear.
Google’s threat analysis group, which detects actors involved in disinformation campaigns, government backed hacking and financially motivated abuse, has sent account holders over 50,000 warnings this year - a 33 percent increase from the same time in 2020.
“On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries,” said Bash. “This means that there is typically more than one threat actor behind the warnings.”