A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.
The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.
The latest findings from the company build on prior reports from Mandiant, ClearSky, and PwC, the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.
“The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations,” CrowdStrike said in a technical report. “Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants.”
Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains.
Besides watering hole attacks, there’s evidence to suggest that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.
Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.
Among some of the notable post-exploitation activities entail achieving lateral movement through the use of PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.
Also deployed is a remote access trojan (RAT) that uses Discord for command-and-control, while both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send results of the execution.
“StandardKeyboard’s main purpose is to execute Base64-encoded commands received in the email body,” the cybersecurity company pointed out. “Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service.”
The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on October 7, 2023, is more reactive and opportunistic.
“Iranian operators [are] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations,” Microsoft said.
“This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects.”
The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.