An Iranian threat actor, under the name of Educated Manticore, has been the cause of targeted phishing attacks towards Israeli victims, with researchers finding that its activity links the group to another advanced persistent threat (APT) group by the name of Phosphorus.
Its activity is similar to other well-known hacking groups like TA453 and Cobalt Illusion in that its phishing attempts are designed to deploy a new version of PowerLess — something that Phosphorus has managed to do in the past while operating in the Middle East and Africa.
In a report released by Check Point, researchers say that the new version of the PowerLess payload uses "an ISO file to initiate the infection chain." They also reported that other documents in the ISO file were written in Hebrew, Arabic, and English, claiming to feature information about Iraq from the Arab Science and Technology Foundation leading researchers to believe that "the research community may have been the target of the campaign."
It's likely that these threat actors will continue to test and refine the tools used to commit these attacks in the future. "While the new PowerLess payload remains similar," Check Point researchers said in the analysis, "its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code."