Iranian hackers linked to the file-encrypting malware attacks

Iranian APT Cobalt Mirage launching ransomware attacks and targeting US organizations

Iranian hackers on a rollIranian hackers launched targeted campaigns with ransomware deployment using legitimate cryptocurrency tools

Iranian state-sponsored threat group has been linked to the ransomware attacks targeting entities in Israel, the US, Europe, and Australia. Secureworks researchers discovered the intrusions and attributed them to the threat actor group named Cobalt Mirage.[1] This Iranian hacking crew also is known as Cobalt Illusion, APT35, Charming Kitten, and Phosphorus.[2]

These threat actors have launched two sets of attacks related to the ransomware attacks that use legitimate tools like BitLocker and DiskCryptor for the financial gain of criminals.[3] The second set of malicious attacks were more targeted and had the goal of securing access and gathering intelligence besides deploying the ransomware in some of the instances.

There are no details, however, on how the ransomware attacks of such high volume features get triggered. The Secureworks researchers detailed the analysis of the attack that was launched in January 2022, targeting the unnamed US philanthropic organization.

Exploiting known flaws for the initial access routes

The intrusion method includes scanning the internet-facing servers for particularly vulnerable ones, so highly publicized flaws in Fortinet applicants and Microsoft Exchange servers can be exploited.[4] This is how the malicious web shells get dropped and can be used to conduit the lateral movements and activate the malware payload.

There was another intrusion leveraging the known flaw. This time was the campaign exploiting the Log4Shell vulnerabilities in the VMware Horizon infrastructure of the particular US local government networks. These attacks were happening in March 2022, and these were aimed to conduct reconnaissance and network scanning attacks.

Threat researchers claim these attacks in January and march show different features of attacks that are typical for the Cobalt Mirage APT group. These threat actors, according to reports, manage to spread and gain initial access to a wide range of targets. However, their financial gain goals or data gathering aims are not that successful.

Iranian hackers APT 34 with anti-detection techniques

Cobalt Mirage was not the only Iranian hacker group that made headlines these days. The APT 34 or Oilrig actors linked to the new cyber attacks targeting Jordanian diplomat with the particularly crafted tools.[5] This attack relied on advanced anti-detection and anti-analysis methods. Also, had some particular features that indicate the careful and in-depth preparation.

The evidence gathered by malware researchers showed that attacks were conducted this month. The reports highlight the latest methods the APT 34 now uses. The spear-phishing email campaign pretending to the from a colleague in the government aimed to trick the Jordanian diplomat.

The email had a malicious attachment with the Excel file that was laced with VBA macro virus code. The macro virus once initiated, executes the creation of three files. Those are malicious executable, configuration files, and a signed, clean DLL. The macro also triggers the scheduled task that repeats every four hours, so the malicious executable is persistent on the machine.

The two anti-analysis algorithms are implemented in the macro too. The data exfiltration of data and the backdoor malware drop get initiated via the PowerShell or the Windows CMD. This hacker group has been linked to the Iranian government and can operate silently without leaving traces. Which is the worst feature for the possible targets.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions