Since November 2023, an Iran based cyber espionage operation named Mind Sandstorm has targeted prominent persons working on Middle Eastern politics at universities and research institutions in Belgium, France, Gaza, Israel, the U.K., and the U.S.
According to a Wednesday investigation by the Microsoft Threat Intelligence team, the threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” characterizing it as a “technically and operationally mature subgroup of Mind Sandstorm.”
In several instances, the assaults employ a hitherto undisclosed backdoor called MediaPl, suggesting that Iranian threat actors are continuously working to improve their post-intrusion tactics.
Mint Sandstorm, also known as Charming Kitten, APT35, TA453, and Yellow Garuda, is renowned for its excellent social engineering tactics. To send customized phishing emails to potential targets, the group even uses real but compromised accounts. It is said to be connected to the Islamic Revolutionary Guard Corps (IRGC) of Iran.
According to Redmond, the sub-cluster uses resource-intensive social engineering to identify academics, researchers, journalists, and other people with knowledge of security and policy matters that Tehran is interested in.
The most recent incursion set is distinguished by the use of baits related to the Israel-Hamas conflict, posing as journalists and other well-known figures in order to develop a relationship and earn targets’ confidence before attempting to infect them with malware.
Microsoft stated that the campaign is probably an attempt by the nation-state threat actor to get opinions on war-related incidents.
A novel Mind Sandstorm technique not before seen is the use of compromised accounts belonging to the individuals they attempted to impersonate in order to send the email messages, as well as the use of the curl command to connect to the command-and-control (C2) infrastructure.
If the targets interact with the threat actor, they will receive a follow-up email with a malicious link pointing to a RAR archive file. Opening the file will cause Visual Basic scripts to be downloaded from the C2 server and remain in the targets’ environments.
Custom implants like MischiefTut or MediaPl, the former of which was initially shown by Microsoft in October 2023, are made possible by the attack chains.
MischiefTut is a simple backdoor that runs reconnaissance commands, writes outputs to a text file, and downloads more tools on a compromised machine. It is implemented in PowerShell. The malware was used for the first time in recorded history in late 2022.
Conversely, MediaPl poses as Windows Media Player and is built to send encrypted messages to its C2 server, where it will execute the command(s) it has received from the server.
“Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft stated.
“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.”
The revelation coincides with the earlier this month revelation by the Dutch newspaper De Volkskrant that Erik van Sabben, an engineer hired by Israel and the United States intelligence services, may have used a water pump to introduce an early version of the now-famous Stuxnet malware into an Iranian nuclear facility in 2007.
