Update: Iranian Hackers Launch Malware Attacks on Israel’s Tech Sector

Cyber Security Threat Summary:
Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

Researchers at CrowdStrike have identified recent attacks, attributing them through infrastructure overlaps with pervious campaigns, observed TTPs, as well as the use of the IMAPLoader malware and phishing lures. Imperial Kitten executed phishing attacks in October, employing a “job recruitment” email them with a malicious Excel attachment. Upon opening, the embedded macro code initiates registry modifications and runs Python payloads for reverse shell access. The attacker navigates the network using tools like PAExec for remote process execution and NetScan for reconnaissance. ProcDump is used to extract credentials from system memory. Custom malware, IMAPLoader, and StandardKeyboard facilitate communication with the command and control server via email. StandardKeyboard persists as the Windows Service Keyboard Service, executing base64-encoded commands from the C2. The attacks in October 2023, confirmed by Crowdstrike, targeted Israeli organizations following the Israel-Hamas conflict.

Security Officer Comments:
Imperial Kitten previously conducted watering hole attacks, compromising Israeli websites to collect visitor information through Javascript code. PricewaterhouseCoopers notes these campaigns, occurring between 2022 and 2023, targeted maritime shipping, and logistics sectors. Victims received IMAPLoader malware with additional payloads. Crowdstrike observed hackers directly breaching networks using public exploit code, stolen VPN credentials, SQL injection, or phishing emails.

Suggested Correction(s):

  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.