Facebook threat intelligence analysts and security experts have recently disrupted the illicit operations of Iranian hackers to distribute malware to attack the US military personnel and personnel working on security subjects.
In this event, Facebook reported that its security team has deleted 200 fake Facebook accounts that are managed by Iranian hackers. Through all these accounts, they use to execute their illicit spy operations on the US.
Facebook’s security analysts have asserted that this group of Iranian hackers is well-known as Tortoiseshell in the security industry.
The Tortoiseshell hacking group was active since 2018, and this group has previously attacked several IT organizations in the Middle East zone.
Apart from the middle east, it mainly targeted Saudi Arabia, using the Syskit backdoor, which collects several information from a compromised computer and sends it to a C&C server controlled by hackers.
Initially, Cisco Talos unveiled a malware campaign against the US military by this Tortoiseshell hacking group using the Syskit backdoor in 2019.
In that campaign, the hackers deployed several fake sites to infect the devices of several US military personnel and security personnel in the name of offering works and leveraged various collaborations.
Techniques and procedures used
The cybersecurity experts at Facebook have detected that the hackers have carried out a sophisticated operation to gain the trust of their victims.
To successfully execute their actions, in their operations, the hackers have presented themselves as representatives of aerospace and defense companies.
In short, here the hackers have used complicated social engineering to make their victims into clicking on specially-crafted malicious links.
Here, the hackers have used two major TTPs:-
- Complicated social engineering
- Phishing and credential theft
Here, the primary goal of the hackers was to direct their victims to fraudulent websites to steal their data and scan computer systems.
During the investigation, the researchers found that the sites used by the threat actors appeared to be legitimate, including a false site of the US Department of Labor job search.
To hide the final objective of all the malicious links, the threat actors have spoofed and mimicked several major email providers and URL-shortening services.
Uses of the spoofed domains
The hackers have used several spoofed domains to execute their actions and they are used to steal the following things:-
- Login credentials
- Corporate emails
- Personal email
- Collaboration tools
- Social media
Not only that even to deliver tailored malware the hackers also obtain information like the currently active devices of the victim, connected network, installed software, etc.
Moreover, the analysts of Facebook has concluded that the group uses custom malware that includes:-
- Remote access Trojans
- Intelligence gathering tools
- Modified versions of Syskit backdoor
Here, the security researchers at Facebook have also reported that the developer of one of the tools is deemed to be the Mahak Rayan Afraz (MRA) of Tehran IT company which is associated with the Islamic Revolutionary Guard Corps (IRGC).
As a strict action and disrupt the operations of this hacker group, the security analysts have confirmed that Facebook already blocked all malicious spoofed domains from being shared, taken down all the group’s, fake accounts, and also notified the assumed targets as well.