Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
Iran APT Targets the Mediterranean With Watering-Hole AttacksIran APT Targets the Mediterranean With Watering-Hole Attacks
Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.
October 26, 2023
A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.
These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.
Yellow Liderc's Latest Campaign
The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.
This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.
After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum[@]yandex.com and brodyheywood[@]yandex — where further payloads lie.
Yellow Liderc's Tactics and Targets Vary
Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.
"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.
Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.
Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.
"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."
Read more about:DR Global Middle East & Africa
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023