Cyber Security News

Facebook Disrupt Iranian Hackers Operation That Distributes Malware To Attack U.S.

Facebook threat intelligence analysts and security experts have recently disrupted the illicit operations of Iranian hackers to distribute malware to attack the US military personnel and personnel working on security subjects.

In this event, Facebook reported that its security team has deleted 200 fake Facebook accounts that are managed by Iranian hackers. Through all these accounts, they use to execute their illicit spy operations on the US.

Facebook’s security analysts have asserted that this group of Iranian hackers is well-known as Tortoiseshell in the security industry.

Tortoiseshell group

The Tortoiseshell hacking group was active since 2018, and this group has previously attacked several IT organizations in the Middle East zone.

Apart from the middle east, it mainly targeted Saudi Arabia, using the Syskit backdoor, which collects several information from a compromised computer and sends it to a C&C server controlled by hackers.

Initially, Cisco Talos unveiled a malware campaign against the US military by this Tortoiseshell hacking group using the Syskit backdoor in 2019. 

In that campaign, the hackers deployed several fake sites to infect the devices of several US military personnel and security personnel in the name of offering works and leveraged various collaborations.

Techniques and procedures used

The cybersecurity experts at Facebook have detected that the hackers have carried out a sophisticated operation to gain the trust of their victims.

To successfully execute their actions, in their operations, the hackers have presented themselves as representatives of aerospace and defense companies.

In short, here the hackers have used complicated social engineering to make their victims into clicking on specially-crafted malicious links.

Here, the hackers have used two major TTPs:-

  • Complicated social engineering
  • Phishing and credential theft

Here, the primary goal of the hackers was to direct their victims to fraudulent websites to steal their data and scan computer systems. 

During the investigation, the researchers found that the sites used by the threat actors appeared to be legitimate, including a false site of the US Department of Labor job search.

To hide the final objective of all the malicious links, the threat actors have spoofed and mimicked several major email providers and URL-shortening services.

Uses of the spoofed domains

The hackers have used several spoofed domains to execute their actions and they are used to steal the following things:-

  • Login credentials
  • Corporate emails
  • Personal email
  • Collaboration tools
  • Social media

Not only that even to deliver tailored malware the hackers also obtain information like the currently active devices of the victim, connected network, installed software, etc.

Moreover, the analysts of Facebook has concluded that the group uses custom malware that includes:- 

  • Remote access Trojans
  • Intelligence gathering tools
  • Keyloggers
  • Modified versions of Syskit backdoor

Here, the security researchers at Facebook have also reported that the developer of one of the tools is deemed to be the Mahak Rayan Afraz (MRA) of Tehran IT company which is associated with the Islamic Revolutionary Guard Corps (IRGC).

As a strict action and disrupt the operations of this hacker group, the security analysts have confirmed that Facebook already blocked all malicious spoofed domains from being shared, taken down all the group’s, fake accounts, and also notified the assumed targets as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

18 hours ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

18 hours ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

20 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

22 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

1 day ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

2 days ago