Introduction:
Since November 2023, Microsoft has been closely monitoring a subset of the cyber threat group Mint Sandstorm, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). This subgroup has exhibited a high level of technical prowess, specifically targeting individuals involved in Middle Eastern affairs at prestigious institutions in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm employed advanced phishing techniques, showcasing a new level of sophistication in their cyber operations.
Mint Sandstorm’s Targets and Objectives:
The targets of this cyber campaign were high-profile individuals, such as journalists, researchers, and professors, known for their insights into security and policy matters related to the Middle East. The threat actors sought to compromise these individuals, who could potentially influence intelligence and policy communities. Microsoft’s analysis indicates that Mint Sandstorm’s motives include gathering sensitive information for the Iranian government, posing a significant threat to the targeted individuals and the organizations they represent.
New Mint Sandstorm Tradecraft:
Mint Sandstorm’s recent campaign displayed novel tactics, techniques, and procedures (TTPs) that distinguish it from previous activities. The threat actors demonstrated a high level of social engineering expertise, masquerading as legitimate high-profile individuals, including journalists from reputable news outlets. The use of bespoke phishing lures and benign initial emails aimed at building trust with the targets reflects the group’s evolving tradecraft.
Delivery and Persistence:
The delivery mechanism involved sending malicious links to targets, directing them to seemingly innocuous domains hosting files with double extensions. Microsoft observed the use of the Client for URL (curl) command to connect to Mint Sandstorm’s command-and-control (C2) server and download malicious files. Additionally, Mint Sandstorm employed various methods for persistence in compromised environments, including the creation of registry entries and scheduled tasks to maintain access.
Collection and Backdoor Implementation:
Mint Sandstorm demonstrated an interest in collecting sensitive information from targets by writing activity logs to text files. The campaign showcased the deployment of a new custom backdoor named MediaPl, capable of sending encrypted communications to its C2 server. Another backdoor, MischiefTut, implemented in PowerShell, exhibited basic reconnaissance capabilities, demonstrating Mint Sandstorm’s versatile toolkit for cyber espionage.
Implications and Mitigations:
The ability of Mint Sandstorm to obtain and maintain remote access poses serious implications for the confidentiality of targeted systems. Microsoft highlights the legal and reputational risks that organizations face when compromised by this campaign. In response, the company provides detection, hunting, and protection recommendations to organizations, emphasizing the importance of implementing high-value mitigations to defend against Mint Sandstorm and similar threats.
Conclusion:
The Mint Sandstorm campaign analyzed by Microsoft reveals a concerning level of sophistication in the group’s cyber operations. The use of advanced social engineering techniques, evolving delivery mechanisms, and the deployment of custom backdoors underscore the persistent and resource-intensive nature of this Iranian cyber threat group.
.){kind=link}