Tuesday, February 18, 2025
HomeMalwareMicrosoft Warns of Iranian Hacker Group That Rapidly Adapts New Tools &...

Microsoft Warns of Iranian Hacker Group That Rapidly Adapts New Tools & Techniques

Published on

SIEM as a Service

Follow Us on Google News

At the CyberWarCon 2021 conference, the cybersecurity experts of Microsoft Threat Intelligence Center (MSTIC) has presented an analysis of the activities and evolution of several Iranian cybercriminal groups.

In this analysis, the Microsoft Threat Intelligence Center (MSTIC) has claimed that the attacks by the Iranian hackers are becoming more sophisticated and evolving rapidly with new tools and techniques.

Notable Trends

The Microsoft Threat Intelligence Center (MSTIC) has noted three key trends, and here they are mentioned below:-

To collect funds or disrupt their targets they are increasingly utilizing ransomware.

While engaging with their targets they are more patient and persistent.

They employ aggressive brute force attacks on their targets since they are more patient and persistent with their social engineering campaigns.

Ransomware

While apart from this, Microsoft has traced six Iranian hacker groups since September 2020, and here they are mentioned below:-

  • Thanos (DEV-0146)
  • Moses Staff (DEV-0500)
  • Phosphorus
  • Rubidium (pay2key)
  • Vice Leaker (DEV-0198)
  • Agrius (DEV-0227)

In waves every six to eight weeks on average all these ransomware deployments were launched by these Iranian hacker groups to accomplish their targets and goals.

In their campaigns, the Iranian hackers primarily install ransomware and steal data in order to cause malfunctioning of targets’ systems. However, over time, these Iranian hacker groups have evolved into deploying and performing:- 

  • Cyber-espionage
  • Multi-platform malware
  • Ransomware
  • Viper operations
  • Phishing attacks
  • Supply chain attacks
  • Disk wipers
  • Password spray attacks
  • Mass exploitation attacks
  • Cloak C2 communications behind legitimate cloud services

Not only that even the hackers have also scanned the Network for Fortinet FortiOS SSL VPN devices and Microsoft Exchange servers containing ProxyShell vulnerabilities, etc.

So far this year the hackers have already managed to gain more than 900 valid credentials in plain text by scanning for unpatched Fortinet VPN systems only.

Patient Credential Harvesting

The increased levels of patience and perseverance in social engineering campaigns is another trend that has surfaced in the past year.

Here it has been noted that the previous actors like Phosphorus (also known as Charming Kitten) sent out emails with malicious links and attachments, but rarely managed to accomplish their goals.

As for now, Phosphorus follows the cumbersome route of “interview invitation” to instruct their victims in attacks to click on credential collection pages as part of a fake interview process.

Using an extensive network of fake social media accounts, usually disguised as attractive women, the new Curium group also pursue a similar strategy. Like this, on a daily basis, they connect with potential victims and try to win their trust for long-run operations.

After a while, the threat actors send a malicious document to their lured target one day which leads the target to the hidden installation of malware on their system.

Apart from this, to trick Israeli soldiers into installing malware on their phones, a hacker group affiliated with the Islamist movement known as Hamas also uses a similar tactic.

While others on the list to aggressively gain access to Microsoft Office 365 user accounts prefer to use brute force attacks, and this shows that they are sophisticated and well organized.

And here in this segment, there is one group that attacked US defense technology companies and ran massive password spraying attacks last month; this group is tracked as DEV-0343.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using...

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New Research Aims to Strengthen MITRE ATT&CK for Evolving Cyber Threats

A recent study by researchers from the National University of Singapore and NCS Cyber...

New LLM Vulnerability Exposes AI Models Like ChatGPT to Exploitation

A significant vulnerability has been identified in large language models (LLMs) such as ChatGPT,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions

A sophisticated malware campaign leveraging the Lumma InfoStealer has been identified, targeting educational institutions...

Cybercriminals Embedded Credit Card Stealer Script Within <img> Tag

Cybersecurity researchers have uncovered a new MageCart malware campaign targeting e-commerce websites running on...

EagerBee Malware Targets Government Agencies & ISPs with Stealthy Backdoor Attack

A sophisticated cyber espionage campaign leveraging the EagerBee malware has been targeting government agencies...