The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Iranian Hackers

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks
June 12, 2022Ravie Lakshmanan
The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. "The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a report published last week. "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements." DNS hijacking is a  redirection attack  in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike  cache poisoning , DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache. Lyceum , also known as Hexane, Spirli

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks
May 12, 2022Ravie Lakshmanan
A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus). "Elements of Cobalt Mirage activity have been  reported  as  Phosphorus  and  TunnelVision ," Secureworks Counter Threat Unit (CTU)  said  in a report shared with The Hacker News. The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like  BitLocker  and DiskCryptor for financial gain. The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also depl

Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks

Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks
February 25, 2022Ravie Lakshmanan
Cybersecurity agencies from the U.K. and the U.S. have laid bare a new malware used by the Iranian government-sponsored advanced persistent threat (APT) group in attacks targeting government and commercial networks worldwide. "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors," the agencies  said . The joint advisory comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the U.K.'s National Cyber Security Centre (NCSC). The cyberespionage actor was  outed this year  as conducting malicious operations as part of Iran's Ministry of Intelligence and Security (MOIS) targeting a wide range of government and private-sector organizations, including telecommunications, defense, local government, and oil and natural gas sectors, in Asia, Afric

Iranian Hackers Using New Marlin Backdoor in 'Out to Sea' Espionage Campaign

Iranian Hackers Using New Marlin Backdoor in 'Out to Sea' Espionage Campaign
February 09, 2022Ravie Lakshmanan
An advanced persistent threat (APT) group with ties to Iran has refreshed its malware toolset to include a new backdoor dubbed  Marlin  as part of a long-running espionage campaign that started in April 2018. Slovak cybersecurity company ESET attributed the attacks — codenamed "Out to Sea"  — to a threat actor called  OilRig  (aka APT34), while also conclusively connecting its activities to a second Iranian group tracked under the name  Lyceum  (Hexane aka  SiameseKitten ). "Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates," ESET noted in its  T3 2021 Threat Report  shared with The Hacker News. Active since at least 2014, the hacking group is known to strike Middle Eastern governments and a variety of business verticals, including chemical, energy, financial, and telecommunications. In April 2021, the actor targeted a Lebanese entity with an implant called

Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks

Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks
February 01, 2022Ravie Lakshmanan
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware " StrifeWater ." "The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks," Tom Fakterman, Cybereason security analyst,  said  in a report. "The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions." Moses Staff came to light towards the end of last year when Check Point Research  unmasked  a series of attacks aimed at Israeli or

Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks

Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks
February 01, 2022Ravie Lakshmanan
An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor , according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or  TA453 ), while also calling out the backdoor's evasive PowerShell execution. "The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason,  said . "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversa

Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor

Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor
January 13, 2022Ravie Lakshmanan
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed " CharmPower " for follow-on post-exploitation. "The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute," researchers from Check Point  said  in a report published this week. The Israeli cybersecurity company linked the attack to a group known as  APT35 , which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor. Log4Shell  aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploite

US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence

US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence
January 12, 2022Ravie Lakshmanan
The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater's ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks. "MuddyWater has been seen using a variety of techniques to maintain access to victim networks," USCYBERCOM's Cyber National Mission Force (CNMF)  said  in a statement. "These include side-loading  DLLs  in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions." The agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor's provenance. Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros,  MuddyWater  is known for its  attacks  primarily directed against a wide gamut of en

Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware

Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware
November 25, 2021Ravie Lakshmanan
A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines. "[T]he stealer is a PowerShell script, short with powerful collection capabilities — in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment," SafeBreach Labs researcher Tomer Bar  said  in a report published Wednesday. Nearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at "Iranians who live abroad and might be seen as a threat to Iran's Islamic regime." The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution fl

Microsoft Warns about 6 Iranian Hacking Groups Turning to Ransomware

Microsoft Warns about 6 Iranian Hacking Groups Turning to Ransomware
November 17, 2021Ravie Lakshmanan
Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks. No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their strategic objectives, researchers from Microsoft Threat Intelligence Center (MSTIC)  revealed , adding "these ransomware deployments were launched in waves every six to eight weeks on average." Of note is a threat actor tracked as  Phosphorus  (aka Charming Kitten or APT35), which has been found scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence on vulnerable networks, before moving to deploy additional payloads that enable the actors to pivot to other machines and deploy ransomware.

Iran's Lyceum Hackers Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa

Iran's Lyceum Hackers Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa
November 11, 2021Ravie Lakshmanan
A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal. The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion's Adversarial Counterintelligence Team (PACT) said in a technical report. The names of the victims were not disclosed. The latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of "additional victims and provide further visibility into Lyceum's targeting methodology," the researchers  noted , adding "at least two of the identified compromises are assessed to be ongoing despite prior public discl

Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks

Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks
August 18, 2021Ravie Lakshmanan
IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company's clients. The attacks, which occurred in two waves in May and July 2021, have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018, researchers from ClearSky  said  in a report published Tuesday. Infections undertaken by the adversary commenced with identifying potential victims, who were then enticed with "alluring" job offers in well-known companies like ChipPc and Software AG by posing as human resources department employees from the impersonated firms, only to lead the victims to a phishing website containing weaponized files t

Researchers uncover a new Iranian malware used in recent cyberattacks

Researchers uncover a new Iranian malware used in recent cyberattacks
April 08, 2021Ravie Lakshmanan
An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology. APT34  (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East. The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages. Although the latest campaign bears some of the same hallmarks, the exact mode of delivery remains unclear as yet. The Word document analyzed by Check Point — which was  uploaded  to VirusTotal from Lebanon on January 10 — claims to of

Detailed: Here's How Iran Spies on Dissidents with the Help of Hackers

Detailed: Here's How Iran Spies on Dissidents with the Help of Hackers
February 08, 2021Ravie Lakshmanan
Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives. Tracing the extensive espionage operations to two advanced Iranian cyber-groups  Domestic Kitten  (or APT-C-50) and  Infy , cybersecurity firm Check Point revealed new and recent evidence of their ongoing activities that involve the use of a revamped malware toolset as well as tricking unwitting users into downloading malicious software under the guise of popular apps. "Both groups have conducted long-running cyberattacks and intrusive surveillance campaigns which target both individuals' mobile devices and personal computers," Check Point researchers said in a new analysis. "The operators of these campaigns are clearly active, responsive and constantly seeking new att

Researchers Uncover 6-Year Cyber Espionage Campaign Targeting Iranian Dissidents

Researchers Uncover 6-Year Cyber Espionage Campaign Targeting Iranian Dissidents
September 19, 2020Ravie Lakshmanan
Capping off a busy week of charges and sanctions  against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information. The threat actor, suspected to be of Iranian origin, is said to have orchestrated the campaign with at least two different moving parts — one for Windows and the other for Android — using a wide arsenal of intrusion tools in the form of info stealers and backdoors designed to steal personal documents, passwords, Telegram messages, and two-factor authentication codes from SMS messages. Calling the operation " Rampant Kitten ," cybersecurity firm Check Point Research said the suite of malware tools had been mainly used against Iranian minorities, anti-regime organizations, and resistance movements such as the Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence
September 18, 2020Ravie Lakshmanan
The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U

U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers
September 17, 2020Wang Wei
Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers , the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of phishing attacks throughout 2017 and 2018. "This tactic used a combination of phishing and spoofing to exploit Internet users' trust in known companies and organizations to fraudulently obtain their login credentials, including email addresses, password information, and other personal information," the DoJ said . In addition to the criminal charges, the U.S. Department of the Treasury has also sanctioned both Russian hackers , freezing all their assets under U.S. jurisdiction and banning them from doing business with Americans. "Karasavidi laundered the proceeds

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General
September 16, 2020Ravie Lakshmanan
The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi

Iranian Hackers Pose as Journalists to Trick Victims Into Installing Malware

Iranian Hackers Pose as Journalists to Trick Victims Into Installing Malware
August 28, 2020Ravie Lakshmanan
An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware. Detailing the new tactics of the "Charming Kitten" APT group, Israeli firm Clearsky said, "starting July 2020, we have identified a new TTP of the group, impersonating 'Deutsche Welle' and the 'Jewish Journal' using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link." This development is the first time the threat actor is said to have carried out a watering hole attack through WhatsApp and LinkedIn, which also includes making phone calls to victims, Clearsky noted in a Thursday analysis. After the company alerted Deutsche Welle about the impersonation and the watering hole in their website, the German broadcaster confirmed, "the repor
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.