High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK and the US have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.
The threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a “technically and operationally mature subgroup of Mind Sandstorm.”
In select cases, the attacks have included the use of a previously undocumented backdoor called MediaPl, indicating ongoing efforts by Iranian threat actors to refine post-intrusion trading skills.
Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
According to Redmond, the sub-cluster engages in resource-intensive social engineering to isolate journalists, researchers, professors, and other individuals who have insight on security and policy issues of interest to Tehran.
The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.
Microsoft said it was possible the campaign was an effort by a nation-state threat actor to collect perspectives on war-related incidents.
The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.
Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets’ environments.
The attack chains pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.
Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write output to a text file, and download additional tools onto a compromised system. The first recorded use of the malware occurred in late 2022.
MediaPl, on the other hand, is disguised as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch commands received from the server.
“Mint continues to improve and modify the tooling used in Sandstorm target environments, activity that may help the group better detect and survive in a compromised environment,” Microsoft said. “
“The ability to gain and maintain remote access to a target’s systems could enable Mint Sandstorm to conduct a variety of activities that could adversely impact the confidentiality of the system.”
The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and US intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.
