29 July 2021

Iranian hackers masqueraded as aerobics instructor to breach US defence company


Iranian hackers masqueraded as aerobics instructor to breach US defence company

Hackers with ties to the Iranian government posed for years as a glamorous Liverpool-based aerobics instructor in order to install malware on the machine of an employee of the US aerospace defense contractor, cybersecurity firm Proofpoint revealed.

In a new report the researchers said they discovered “a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456,” also known as Tortoiseshell.

“Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain,” Proofpoint said.

“Proofpoint data shows that over at least eight months, “Marcella (Marcy) Flores” sent TA456’s target benign email messages, photographs, and a video to establish her veracity and build rapport with the intended victim. At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL. In early June, a TA456 actor self-identified as “Marcy” sent another OneDrive link, this time masquerading as a diet survey.”

Upon infecting the computer, the malware, which was dubbed ‘LEMPO’ by the researchers, establishes persistence and then performs reconnaissance on the machine, extracting sensitive information, which is then sent to an actor-controlled email account via SMTPS. Lastly, the malware covers its tracks by deleting that day’s host artifacts.

Facebook has since removed the Flores account from its platform in a coordinated takedown of users linked to Iranian hacker activity. Earlier this month, Facebook said it dismantled a cyberespionage campaign it attributed to Tortoiseshell targeting military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using a network of fake online personas.

Tortoiseshell is believed to be loosely aligned with the Islamic Revolutionary Guard Corps (IRGC) via association with the Iranian company Mahak Rayan Afraz (MRA), according to Facebook’s analysis.

“TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats tracked by Proofpoint. The “Marcella Flores” persona is likely not the only one in use by TA456, making it important for those working within or tangentially to the defense industrial base to be vigilant when engaging with unknown individuals regardless of whether it is via work or personal accounts,” Proofpoint said.

Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021