An Iranian threat group known for going after a wide variety of organizations with high-level espionage campaigns has recently targeted research organizations and universities in several countries that focus on Middle Eastern issues, in some cases deploying a new custom backdoor known as MediaPI.
Microsoft researchers have been tracking the campaign, which began in November and has hit victims in the United States, UK, Gaza, Israel, and other countries.The campaign is the work of a group that Microsoft refers to as Mint Sandstorm, an attack team associated with Iran’s Islamic Revolutionary Guard Corps. Mint Sandstorm’s activity overlaps with groups that other research teams refer to as APT35 or Charming Kitten. In this campaign, the attackers have been using their custom backdoor along with phishing lures that the Microsoft researchers say are quite difficult to identify as malicious.
“Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft Threat Intelligence researchers said.
“This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran. These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran.”
Mint Sandstorm is a capable, mature group that has a variety of techniques and tools at its disposal. The group often relies on phishing and social engineering in its campaigns, and in the most recent one, the group took advantage of access to compromised, legitimate accounts belonging to known people who the group’s victims would be familiar with and likely trust. In some cases, they sent one or more emails with no malicious content in order to build a relationship with the recipient before delivering the malicious payload later on. That payload typically came in the form of a message with a malicious link that would eventually lead to the download of a malicious file.
Some victims received a VBS file that the Mint Sandstorm attackers used for persistence on compromised machines. The attackers also used two backdoors: MediaPI and MischiefTut. MediaPI is disguised as Windows Media Player and MischiefTut is a PowerShell backdoor that can collect data and send it to the attackers’ C2 server and also download other tools.
In past campaigns, Mint Sandstorm/Phosphorus has targeted medical professionals and other specialized groups of potential victims. The group has continued to evolve and modify its tools and techniques in recent years and is quite capable of gaining access to high-profile targets.