Researchers have discovered a new phishing campaign that targets Middle Eastern and North African Government Entities to deliver a new initial access downloader termed “IronWind.” This downloader is followed by additional payload stages, which downloads a shellcode.
Most campaigns were using Dropbox links, which then evolved to using XLL and RAR file attachments to evade detection mechanisms. Moreover, this threat actor activity overlaps with Molerats, Gaza Cybergang, Frankenstein, and WIRTE.
The malicious actor employs a hijacked email account belonging to the Ministry of Foreign Affairs to launch phishing attacks against government entities in the Middle East.
The email utilized phishing tactics to deceive its recipients with a message related to economic affairs. The email contained a hyperlink to a Dropbox file, which once clicked, downloaded a harmful Microsoft PowerPoint Add-in (PPAM) file.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
This file contains a macro that drops three files such as version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs.
The timeout.exe file was used to sideload IronWin, which sends an HTTP GET request to the C2 domain (theconomics[.]net), according to the analysis of August 2023.
Once the C2 receives this request, it responds back with a shellcode, which is the third stage of the infection chain.
This shellcode uses .NET loaders to perform WMI queries and also downloads the fourth stage of the malware, which was another .NET executable that uses SharSploit, a .NET post-exploitation library written in C#.
The attachments were observed to shift from PPAM to RAR file in October 2023. The RAR file consists of a tabcal.exe file, which sideloads the IronWind and propsys.dll. Other stages of the malware delivery remained the same.
A complete report about this IronWind infection has been published by Proofpoint which provides detailed information about the threat actor, path of compromise, and other vital information.
SHA256 Value
Domains
IP (C2)
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
Landmark Admin, LLC (“Landmark”), a Texas-based third-party administrator for life insurance carriers, has confirmed that…
SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San…
Mozilla has released Firefox 137.0.2, addressing a high-severity security flaw that could potentially allow attackers…
The Tails Project has urgently released Tails 6.14.2, addressing critical security vulnerabilities in the Linux kernel…
Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a sophisticated…
A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted European…