Iranian state-sponsored hackers have come up with a new sleazy trick to get people into downloading malicious attachments, researchers are warning.
Cybersecurity experts from Proofpoint found(opens in new tab) the TA453 threat actor, allegedly linked to the Islamic Revolutionary Guard Corps (IRGC), is engaging in “multi-persona impersonation”, or “sock-puppeting”, to get victims into downloading malware.
In other words, they’re having email conversations with themselves, while letting the victims listen on the sides, before tricking them into downloading a file that wasn’t even necessarily sent to them.
Faking a conversation
Here’s how it works: the threat actors would create multiple fake email accounts, stealing the identities(opens in new tab) of scientists, directors, and other high-profile individuals. Then, they’d send an email from one of the addresses to the other, CC-ing the victim in the process. A day or two later, they’d reply to that email, from the second address that also belongs to them.
That way the victim, essentially caught in the middle of an email thread, could lower their guard and get a fake sense of legitimacy about the whole thing. After a short back-and-forth, one of the participants would send an attachment to other participants, and should the victim download and run it on their endpoints(opens in new tab), they’d get a .DOCX file filled with dangerous macros.
The biggest red flag in this campaign is the fact that all of the emails used in the attack are created on major email providers, such as Gmail, Outlook, or Hotmail, instead of being on the domains of the impersonated institutions.
“The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls,” the researchers explained. “The macros collect information such as username, list of running processes along with the user’s public IP from my-ip.io and then exfiltrates that information using the Telegram API.”
Although they couldn’t verify it, the researchers believe that the threat actors engage in additional exploitation further down the road.