One of the most prolific state-sponsored Iranian cyber espionage groups is targeting researchers from different fields by setting up sophisticated spear-phishing lures in which they use multiple fake personas inside the same email thread for increased credibility.
Security firm Proofpoint tracks the group as TA453, but it overlaps with activity that other companies have attributed to Charming Kitten, PHOSPHORUS and APT42.
Incident response vendor Mandiant recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organisation (IRGC-IO) and specialises in highly targeted social engineering.
Starting with campaigns in mid-2022, TA453 took "their targeted social engineering to a new level, targeting researchers with not just one actor-controlled persona but multiple," the Proofpoint researchers said in a new report. "This technique allows TA453 to leverage the psychology principle of social proof to prey upon its targets and increase the authenticity of the threat actor's spear phishing."
How multi-persona impersonation works
The recent email attacks observed and analysed by Proofpoint started out with TA453 threat actors sending carefully crafted email messages to their targets on topics of interest to them. These emails usually impersonated another academic or researcher working in the same field as them.
For example, in one email targeting an individual specialised in Middle Eastern affairs, the attackers impersonated Aaron Stein, the director of research at the Foreign Policy Research Institute (FPRI), to initiate a conversation about Israel, the Gulf States, and the Abraham Accords.
In the email, the attackers also introduced Richard Wike, director of global attitudes research at the Pew Research Center, who appeared copied in the email thread.
Both spoofed identities belong to real persons who work for the respective institutions on the positions specified in the email. Moreover, a day after the initial message from the Aaron Stein persona, the attackers responded to the email thread as Richard Wike from their spoofed email address in CC, putting pressure on the victim by saying "looking forward to hearing from you." Both messages had signatures that included the logos of the two institutions.
In another case, the attackers targeted an individual who specialised in genome research with a spoofed email impersonating Harald Ott, a professor of surgery at the Harvard Medical School known for his work on organ regeneration.
The email included copied not one, but two additional personas: Claire Parry, assistant director at the Centre for Universal Health in Chatham House's Global Health Programme, and Andrew Marshall, chief editor of Nature Biotechnology. When the victim responded to the email, the attackers used the Andrew Marshall persona to send a link to a maliciously crafted document hosted on Microsoft OneDrive.
In a third attack, TA453 targeted two researchers specialised in nuclear arms control who worked for the same university using a "Carroll Doherty" persona. The real Doherty is the director of political research at Pew Research Center.
The message copied three other personas: Daniel Krcmaric, an associate professor of political science at Northwestern University; Aaron Stein; and Sharan Grewal, a fellow in the Center for Middle East Policy at the Brookings Institution.
One of the targets responded to the initial email, which asked them to review an article, but then stopped responding for a week, so the attackers followed up with a OneDrive link to a malicious and password-protected document titled "The possible US-Russia clash.docx". Four days after that, they used the Aaron Stein persona to resend the document and password to reinforce the request and add credibility to it.
The technique of spoofing multiple personas in the same email thread is not new but is not common.
Proofpoint has previously observed the technique used by a threat group tracked as TA2520 or Cosmic Lynx that specialises in business email compromise (BEC). BEC attacks are financially motivated with attackers inserting themselves into existing business email threads using compromised accounts and spoofing the participants' email addresses to convince an employee, usually from an organisation's accounting or finance department, to initiate a payment to an attacker-controlled account.
However, in most BEC attacks the spoofing is done to maintain the appearance of the original thread intact for the victim, including the CC field, without the other real participants receiving a copy of the rogue emails.
Until they adopted this multi-persona impersonation technique, TA453 has long been engaged in spoofing real identities, including academic researchers and journalists, but they only impersonated one individual at a time in their phishing emails.
Remote template injection
The malicious DOCX documents distributed in these recent attacks by TA453 use a known technique known called remote template injection to execute malicious code on victim machines.
When opened, the document uses existing Word functionality to reach out to a remote host and download a DOTM template file which contains macro scripting. The template is then applied to the document and the macros are executed.
It seems that in this case, the rogue code was designed to only collect information about the victim's system such as username, a list of running processes, and the computer's public IP and then exfiltrate this information using the Telegram API, as described in a July report by researchers from PwC.
"At this time, Proofpoint has only observed the beaconing information and has not observed any follow-on exploitation capabilities," the Proofpoint researchers said.
"The lack of code execution or command and control capabilities within the TA453 macros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the software identified on their machines."