Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

Iranian Hackers Target Mediterranean Shipping, Logistics Firms

Hackers Used Watering Hole Attacks to Identify High-profile Targets for Espionage
Iranian Hackers Target Mediterranean Shipping, Logistics Firms

An Iranian state-backed persistent threat group used a combination of malicious Javascript, phishing emails and .NET malware to conduct espionage attacks on maritime, shipping and logistics companies in the Mediterranean region.

See Also: The Impact of Ransomware: On State and Local Government 2022

Security researchers at PriceWaterhouseCoopers reported the Iranian threat group, tracked by PwC as Yellow Liderc, employed watering hole tactics between 2022 and 2023 to identify and surveil people working at logistics, shipping and maritime organizations in the Mediterranean region. A watering hole attack involves malicious actors poisoning a legitimate website with malware to compromise devices that visit the site.

The threat group, commonly known as TA456, Crimson Sandstorm, Tortoiseshell or Imperial Kitten, compromised several legitimate websites and embedded malicious Javascript that could track website visitors, capture device information, location data and time of visits.

First discovered in 2018, TA456 has been conducting espionage operations targeting defense, aviation, automotive, aerospace, maritime and IT sectors worldwide to collect intelligence for the benefit of the Iranian state. Security researchers say the group is connected with the Islamic Revolutionary Guard Corps and, according to Proofpoint, TA456 uses the Tehran-based company Mahak Rayan Afraz as a front organization to communicate with the IRGC.

Facebook's threat intelligence team in 2021 said it disrupted a TA456 cyberespionage operation in which the group attempted to use the social network to target military personnel and companies in the defense and aerospace industries in the U.S. (see: Facebook Disrupts Iranian APT Campaign).

According to PwC researchers, once the threat group identified high-value targets using Javascript in legitimate websites, targeting them individually with a .NET-based malware dubbed IMAPLoader that uses a new injection technique, downloads additional malware and leverages email as a command-and-control channel to communicate with its operators.

TA456 used the new injection technique, called AppDomain Manager Injection, to force a Microsoft .NET application to load the malware, which was crafted as a .NET assembly. When executed, the malware extracts its path, hides the Windows Console window from view and queries email addresses and passwords hardcoded in the DLL to communicate with the attackers, receive commands and exfiltrate information captured from the host machine.

"While we have previously observed the threat actor developing .NET malware, which uses similar email-based C2 channels and hard-coded commands to gain information about the victim's environment, IMAPLoader is executed via the 'AppDomain Manager Injection' technique, a technique we have not observed Yellow Liderc using before, which shows an evolution of this threat actors tools and techniques," the PwC threat research team said.

Researchers also observed TA456 using several phishing domains, some of which were themed around Microsoft accounts and some aimed at the travel and hospitality sectors within Europe. PwC believes the scope of this campaign is to target a wide range of people and organizations beyond the Mediterranean region.

In the lattest campaign, threat actors spoofed Microsoft login pages to capture credentials and used phishing techniques to serve macro-enabled Excel documents that drop a VBScript. When opened, the script displays a decoy document to attract the victim's interest while silently downloading macros to the disk.

"Analysis of IMAPLoader shows an evolution of the threat actor's tools which will likely continue to evolve, as the threat actor stays focused on targeting a variety of sectors and regions which align with its strategic interests," PwC added.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.