Iranian hackers pose as journalists to push backdoor malware
APT42, an Iranian state-sponsored hacking group also known as Charming Kitten or Yellow Garuda has been spotted impersonating journalists from popular mainstream media titles in an attempt to deliver multi-purpose backdoors to their targets.
A report from Google cybersecurity researchers found the threat actors would first set up email addresses on typosquatted domains, impersonating journalists, NGO representatives, and event organizers.
The impersonated organizations include the Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and others.
Nicecurl and Tamecat
Then, they would reach out to their targets, mostly located in the Middle East, and West, and engage in conversation. After building some credibility, the attackers would share a link to a document relating to a conference, or a news article. The link would redirect the victims to a phishing page where, should they fall for the trap, they can share their login credentials, and even multi-factor authentication (MFA) tokens.
The final step is to use the obtained credentials to infiltrate their target’s corporate network and deploy two backdoors: “Nicecurl” and “Tamecat”.
Nicecurl seems to be the less capable one, allowing for command execution, deploying additional malware, and stealing sensitive data. Tamecat can execute arbitrary PowerShell code and is generally described as more flexible.
The researchers argue that APT42 is linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Over the years it has built a reputation of infamy, having been involved in dozens of high-profile attacks. The researchers first observed it back in 2015, and have apparently engaged in at least 30 different operations.
While the targets may differ, the goal is always the same – to gather important intelligence, vital for the advancement of Iranian state agendas. In that respect, the targets are mostly located in Israel, the United States, and Europe.
Via BleepingComputer
More from TechRadar Pro
APT42, an Iranian state-sponsored hacking group also known as Charming Kitten or Yellow Garuda has been spotted impersonating journalists from popular mainstream media titles in an attempt to deliver multi-purpose backdoors to their targets. A report from Google cybersecurity researchers found the threat actors would first set up email addresses…
