An Iranian threat group that has a reputation for using sophisticated espionage operations to target a wide range of organizations has recently targeted universities and research centers that concentrate on Middle Eastern issues in several different countries. In some of these cases, the group has deployed a new custom backdoor called MediaPI.
The campaign, which started in November and has affected victims in the US, UK, Gaza, Israel, and other nations, has been monitored by Microsoft researchers. The campaign is the product of an attack team connected to Iran’s Islamic Revolutionary Guard Corps, which Microsoft refers to as Mint Sandstorm.
The activities of Mint Sandstorm overlap with those of organizations known by other research teams as Charming Kitten or APT35. According to Microsoft researchers, the attackers in this campaign have been using both their own backdoor and phishing lures, which can be challenging to recognize as malicious.
Operators connected to this Mint Sandstorm subgroup are extremely skilled and patient social engineers whose tradecraft is devoid of many of the characteristics that enable users to recognize phishing emails quickly. During this campaign, this subgroup sent phishing lures using accounts that were hacked but still legitimate. Researchers from Microsoft Threat Intelligence stated that Mint Sandstorm also keeps enhancing and modifying the tools utilized in targets’ environments. This action could aid the group in surviving in a compromised environment and better avoiding detection.
The aforementioned group is recognized for carrying out resource-intensive social engineering endeavors aimed at journalists, scholars, instructors, or other individuals possessing perspectives or insights regarding security and policy matters of significance to Tehran. These people are desirable targets for adversaries looking to gather intelligence for the governments that fund their operations, like the Islamic Republic of Iran because they are involved in or can influence the intelligence and policy communities.
Mint Sandstorm is a skilled, experienced group with a wide range of methods and resources at its disposal. The group frequently uses social engineering and phishing in its operations; in its most recent campaign, it exploited access to hacked, authentic accounts that belonged to well-known individuals that the group’s victims would probably know and trust. Occasionally, they would send one or more Anonymous emails that contained nothing malicious to establish a rapport with the recipient before sending the malicious payload at a later time. Usually, the payload took the shape of a message containing a malicious link that would eventually download a malicious file.
A VBS file that the Mint Sandstorm attackers used to remain persistent on infected machines was sent to some victims. Two additional backdoors used by the attackers were MediaPI and MischiefTut. Under the guise of Windows Media Player, MediaPI operates while MischiefTut is a PowerShell backdoor that allows data collection, transmission to the attackers’ C2 server, and tool downloads.
Previous Mint Sandstorm/Phosphorus campaigns have targeted other specialized groups of potential victims, such as medical professionals. The group can get access to high-profile targets because it has continuously improved and modified its tools and techniques in recent years.
APT “Mint Sandstorm” swiftly takes advantage of fresh PoC exploits
Mint Sandstorm, an advanced persistent threat (APT) group, has perfected the art of seizing proof-of-concept (PoC) vulnerabilities before companies can patch them and launch an attack.
Microsoft claims that the APT Mint Sandstorm is a combination of multiple subgroups connected to an intelligence branch of Iran’s Revolutionary Guard Corps and is supported by the Iranian government. According to researchers, Mint Sandstorm, also referred to as Phosphorus, is an expert at breaking into high-value targets and stealing confidential data.
Researchers said that the subgroup switched from reconnaissance to direct targeting of vital U.S. infrastructure, such as transit systems, energy companies, seaports, and “a major U.S. utility and gas entity potentially in support of retaliatory destructive cyberattacks.” Attacks started in late 2021 and continued until mid-2022, during which time their frequency and scope progressively increased.
Microsoft claimed that up until this year, the subgroup was sluggish to adopt newly discovered vulnerabilities. However, starting in 2023, Mint Sandstorm rapidly added public PoCs to its toolkit. Examples include Zoho ManageEngine vulnerability CVE-2022-479666, for which a proof of concept was developed on January 19.
The day the PoC was made public, Mint Sandstorm started launching attacks. Furthermore, the group utilized Aspera Faspex’s CVE-2022-47986 within five days of the PoC’s public disclosure on February 2.
The Microsoft researchers observed that although the group quickly adds new PoCs to their playbooks, Mint Sandstorm still uses unpatched devices to take advantage of older vulnerabilities like Log4Shell.
The Cybersecurity and Infrastructure Security Agency reported that adversaries frequently create exploits 48 hours after a vendor update is released, knowing that it can take up to 60 days on average for large organizations to test and deploy patches. Phil Neray, vice president of cyber defense strategy at CardinalOps, made this observation.
Professionals in cybersecurity stated that they were unsurprised by how rapidly Iranian nation-state actors were taking advantage of PoCs.
According to Vulcan Cyber’s Mike Parkin, a senior technical engineer, “[Microsoft’s] recommendations are also solid.” However, cybersecurity experts have always advised ‘patch and harden’. All we need is for people to pay attention and act.
Microsoft has introduced a new naming taxonomy for threat actors, which includes the name Mint Sandstorm.
According to the new naming convention, nation-states that incorporate a weather event will be given a “family name”; for instance, suspected Iranian threat groups will be referred to as “Sandstorm” family names, and suspected Russian threat groups will be called “Blizzard” family names. Groups suspected of being affiliated with North Korea will be called “Sleet,” and APTs thought to have connections to China will be called “Typhoon.”