Iranian hackers pose as journalists to push backdoor malware
Hackers impersonate Washington Post journalists, among others
APT42, an Iranian state-sponsored hacking group also known as Charming Kitten or Yellow Garuda has been spotted impersonating journalists from popular mainstream media titles in an attempt to deliver multi-purpose backdoors to their targets.
A report from Google cybersecurity researchers found the threat actors would first set up email addresses on typosquatted domains, impersonating journalists, NGO representatives, and event organizers.
The impersonated organizations include the Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and others.
Nicecurl and Tamecat
Then, they would reach out to their targets, mostly located in the Middle East, and West, and engage in conversation. After building some credibility, the attackers would share a link to a document relating to a conference, or a news article. The link would redirect the victims to a phishing page where, should they fall for the trap, they can share their login credentials, and even multi-factor authentication (MFA) tokens.
The final step is to use the obtained credentials to infiltrate their target’s corporate network and deploy two backdoors: "Nicecurl" and "Tamecat”.
Nicecurl seems to be the less capable one, allowing for command execution, deploying additional malware, and stealing sensitive data. Tamecat can execute arbitrary PowerShell code and is generally described as more flexible.
The researchers argue that APT42 is linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Over the years it has built a reputation of infamy, having been involved in dozens of high-profile attacks. The researchers first observed it back in 2015, and have apparently engaged in at least 30 different operations.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While the targets may differ, the goal is always the same - to gather important intelligence, vital for the advancement of Iranian state agendas. In that respect, the targets are mostly located in Israel, the United States, and Europe.
Via BleepingComputer
More from TechRadar Pro
- State-backed Iranian hackers spread malware through links to fake VPN apps
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.