Saturday, April 13, 2024

TA456 – Iranian Hackers Attack Defense Contractors with Malware To Exfiltrate Sensitive Data

The security researchers at Proofpoint have uncovered that the Iranian Hacking group, TA456 which is also known as “Tortoiseshell” and “Imperial Kitten” has recently executed several targeted attacks on defense contractors with malware.

On Facebook, the hackers of this group mimicked themselves as aerobics instructors simply to fool the defense contractors and then compromise their systems to exfiltrate sensitive data.

Here during the ongoing cyber espionage, the hackers mainly targeted the employees of the contractor companies working in the US aerospace defense; especially those who are involved in the operations in the Middle East.

In 2019 the hackers created a Facebook and Instagram profile of “Marcella Flores” and by exploiting this fake profile the hackers mimicked as an aerobics instructor.

Marcella Flores is none other than an imaginary character that is used by the hackers for their illicit activities. 

Here at this stage the threat actors took their time and spent months establishing contact with their targets, correspondence with them by mail and in private messages, before moving on to attempts to infiltrate malware.

Malware and Campaign

The cybersecurity experts at Proofpoint have reported & dubbed the malware as, “Lempo,” it’s the updated version of the “Liderc.” Lempo is basically a VBS (Visual Basic Script) that is dropped by an Excel macro.

This VBS identifies the host in several ways by exploiting the built-in Windows commands, and then by using Microsoft’s CDO (Collaboration Data Objects) it exfiltrates the data.

Apart from this, the threat actors who created and abused the fake profile has also used the following things to trick their victims and make them believe they are real:-

  • Email
  • Private messages
  • Social Media Profiles
  • Photographs
  • Flirty personal messages

While as part of their espionage operation the hackers have also used those emails to send their victims links to OneDrive which led them to with a document with a survey related to diet, or a video file, as part of their long-standing correspondence.

Information and records collected by Lempo

  • Date and time 
  • Computer and usernames 
  • System information via WMIC os, sysaccount,  environment, and computer system commands 
  • Antivirus products located in the “SecurityCenter2” path 
  • Drives 
  • Tasklist 
  • Software and version 
  • Net users and user details 

Moreover, on the victim’s Windows computer the malware provides endurance to attackers which enables them to search and steal all the confidential data present on the compromised system. Through which easily an attacker can execute sophisticated spy campaigns.

However, at this moment the fake profile with the name, “Marcella Flores” was deactivated by the threat actors. According to the reports, in this spy campaign, the hackers of this group targeted more than 200 military defense, and aerospace companies in the US, UK, and Europe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles