ICNA

Iranian Cyber News Agency

    • Iran hacker

    Imperial Kitten

    ICNA Posted on

    List of names used by the industry:

    • Crimson Sandstorm
    • CURIUM
    • Houseblend
    • Tortoise Shell
    • Yellow Liderc
    • TA456

    Date founded:

    The group have been active since at least 2017 but was first reported in September 2019.

    Affiliation:

    Iran-nexus “threat cluster” that is linked to the Islamic Revolutionary Guard Corps (IRGC).

    Social media handles/websites:

    N/A

    Previous operations:

    The group focus on long-term espionage and strategic intelligence collection targeting maritime, shipping and logistics, transportation, aerospace and defense, IT services and consulting organizations.

    They operate with a strong focus on the Middle East (primarily Israel) and supply chain targets. Their intelligence collection focus is consistent with IRGC requirements.

    The group do not publicly announce their activities but several campaigns and activities have been attributed to them:

    In 2021, the group were attributed to a variety of long-running, highly patient social-engineering campaigns target IT and engineering firms that support US defense and intelligence customers. The campaigns were supply-chain driven, aiming to compromise smaller suppliers to eventually access large defense contractors and their customers. In some situations, the threat actor

    The group built networks of fictitious social media personas (most notably a persona with the name “Marcella Flores”), used sustained private communications over social media (such as LinkedIn and Facebook), and primed targets with benign content (videos, links, documents) over many months before delivering malicious files. Their targets often believed they were interacting with a real person. Threat Intelligence companies linked these campaigns to the “LEMPO” malware that established persistence, performed reconnaissance, and exfiltrated sensitive data.

    The group’s typical playbook for these complex social engineering attacks have been seen as follows:
    • Masquerade as an attractive woman on social media.
    • Establish a connection via social media with a target user via LinkedIn, Facebook etc,
    • Chat with the target daily.
    • Send benign videos of the woman to the target to prime them to lower their guard.
    • Send malicious files to the target similar to the benign files previously sent.
    • Request that the target user open the malicious document.
    • Exfiltrate data from the victim machine.

    Notably, the process above would take multiple months from the initial connection to the delivery of the malicious payload. This is one of the reasons why the group have been described as one of the most determined Iran-nexus threat actors (due to their significant patience when targeting users).

    In 2022, the group used a variety of strategic web compromises (watering-holes) to profile visitors (initially using Matomo analytics) and began serving target payloads to high-value visitors. Other threat intelligence indicates the group using Python-based implants and credential-stealer activity in this timeframe.

    Towards the end of 2022, telemetry identified early variants of the group’s custom post-exploitation payload “IMAPLoader” used in phishing campaigns with a job recruitment theme. Emails carried a malicious Microsoft Excel payload that dropped JobTitle.dll. This then was used to create sign.dll (a variant of IMPALoader). A notable characteristic was that IMAPLoader used hardcoded Yandex mailboxes to poll specifically named folders for attachments that contained follow-on payloads. The attacker moved laterally across the network using tools like PAExec and NetScan. ProcDump is used to obtain credentials from the System memory.

    Continuing into 2023, multiple compromised websites and domains were used to profile visitors and serve payloads across the maritime, shipping, logistics and related industries. The group continued using job-recruitment themed phishing campaigns. The group consolidated a dual approach of targeted watering-holes to reach specific visitors plus broad phishing to reach a wider audience.

    In October 2023, the group increased activity against Israeli and regional targets. Industry threat intelligence reported continued use of the IMAPLoader alongside new tools including StandardKeyboard (a .NET implant that persists as a Windows service named “Keyboard Service” and uses email for C2 communication), and a Discord-C2 RAT used in at least one campaign.

    In 2024, Microsoft published research indicating the group used generative AI tools and large language models (LLMs) to assist with the creation of social-engineering content, troubleshooting development errors, and researching .NET development and evasion techniques on compromised systems.

    Tactics/Techniques/Tradecraft/Procedures (TTPs):

    • Persona-based social engineering: long-running fictitious social media accounts to befriend and prime targets (supply-chain focus).
    • Spearphishing/job-recruitment lures with macro-enabled Office attackments and XLL plugins.
    • Strategic website compromise (watering hole) using JavaScript/Matomo to fingerprint visitors before selective targeting.
    • Credential Harvesting via phishing pages and compromised web redirects.
    • Initial access via stolen VPN credentials, one-day exploits and SQL injection.
    • On-host staged build/compile: dropping source.cs and invoking csc.exe to produce malicious .NET assemblies.
    • Host injection using AppDomain Manager Injection to load malicious .NET assemblies.
    • Mail based C2: IMAP/SMTPS for tasking, attachment delivery and exfiltration (common use of Yandex mailboxes).
    • Alternate C2 channels: Python raw socket reverse shells and Discord based RATs.
    • Persistence via scheduled tasks and masqueraded task names, Windows services and Registry Run keys (e.g., StandardPS2Key).
    • Lateral movement with remote execution tools (PAExec), network scanning (NetScan) and credential harvesting (ProcDump/LSASS dumping).
    • Data staging and exfiltration over C2 channels (mail attachments, raw sockets).
    • Defense evasion: masquerading as Microsoft services/files, fixed/forged timestamps, obfuscated addresses/strings and repeated infrastructure reuse.
    • Infrastructure operations: rapid acquisition and rotation of VPS, domains and hosting (used for SWC, phishing and C2).
    • Adoption of Artificial Intelligence including large language models to craft social engineering content and troubleshoot development/evasion.

    Sources:

    • Proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
    • Techtarget.com/searchSecurity/news/366569937/Microsoft-OpenAI-warn-nation-state-hackers-are-abusing-LLMs
    • Thehackernews.com/2023/11/iran-linked-imperial-kitten-cyber-group.html
    • Huntress.com/threat-library/threat-actors/imperial-kitten
    • Pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
    • Crowdstrike.com/en-us/blog/imperial-kitten-deploys-novel-malware-families/
      Attack.mitre.org/groups/G1012/
    • Microsoft.com/en-us/security/security-insider/threat-landscape/crimson-sandstorm
    • Radar.certfa.com/en/insights/actor/39af79e4/

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts