Iranian Mint Sandstorm Attacking Researchers With New Hacking Tools

Hackers frequently target researchers to get illegal access to important research data, intellectual property, and highly sensitive information.

The threat actors can exploit this information for various illicit purposes like economic espionage, competitive advantage, or selling the data on the black market.

Cybersecurity researchers at Microsoft recently discovered that the threat actors behind Mint Sandstorm are actively attacking the researchers with new hacking tools.

Mint Sandstorm (PHOSPHORUS), which is linked to Iran’s IRGC, has been actively targeting high-profile individuals at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US since November 2023 using custom phishing to deploy MediaPl backdoor. 

The operators of this threat group are highly skilled social engineers as they adapt and persist in compromised environments, which poses a serious threat to security.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Mint Sandstorm Attacking Researchers

Mint Sandstorm’s most recent campaign demonstrates new strategies such as phishing with hacked email accounts, using curl commands to connect to their server, and deploying the MediaPl backdoor.

They imitate renowned figures by using individualized phishing lures and innocent first mail to gain confidence before releasing malicious content. 

Using hacked but genuine email accounts strengthens Mint Sandstorm’s legitimacy, which is critical to the campaign’s success.

Targets who agreed to review documents in Mint Sandstorm’s campaign received follow-up emails with links to malicious domains like cloud-document-edit[.]onrender[.]com. 

These domains hosted RAR archives, and when they are opened, decompressed into .pdf. link files running curl commands to retrieve malicious files from glitch[.]me and supabase[.]co. 

Microsoft detected various files, including .vbs scripts, and renamed versions of NirCmd, which is a legitimate tool used for actions without a user interface.

Mint Sandstorm used Persistence. vbs to persist by adding a.vbs file to the registry key or creating a scheduled task to download a.txt file from supabase[. ]co.

Intrusion chain
Intrusion chain (Source – Microsoft)

They logged device activity to files like documentLogger.txt and dropped custom backdoors, MediaPl, and MischiefTut. Here, the MediaPl is disguised as a Windows Media Player that encrypts communications and manipulates images for C2 info. 

⁤Moreover, it’s equipped to terminate itself, retry C2 communications, and execute commands. ⁤⁤MischiefTut is a PowerShell-based backdoor that offers basic capabilities in this sophisticated campaign. 

Mint Sandstorm’s remote access capability poses a threat to system confidentiality, risking legal and reputational consequences for targeted organizations. 

Microsoft enhances detection to empower customers to defend against this patient and skilled subgroup of Mint Sandstorm.

Recommendations

Here below, we have mentioned all the recommendations provided by the security researchers:-

  • Leverage Microsoft Defender’s Attack Simulator for realistic simulated phishing and password attacks.
  • Focus on recognizing phishing cues like spelling errors, spoofed app details, and suspicious URLs.
  • Make sure to use Microsoft Edge and SmartScreen-enabled browsers.
  • Ensure to activate network protection to block connections to harmful domains and IP addresses.
  • In Microsoft Defender Antivirus or your antivirus tool make sure to activate cloud-delivered protection.

By following and implementing all the recommendations that are provided by the cybersecurity researchers at Microsoft, such threats can be mitigated efficiently.

IoCs

Domains:

  • east-healthy-dress[.]glitch[.]me
  • coral-polydactyl-dragonfruit[.]glitch[.]me
  • kwhfibejjyxregxmnpcs[.]supabase[.]co
  • epibvgvoszemkwjnplyc[.]supabase[.]co
  • ndrrftqrlblfecpupppp[.]supabase[.]co
  • cloud-document-edit[.]onrender[.]com

Files:

  • MediaPl.dll (SHA-256: f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f)

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.