A new threat activity has been discovered that relates to the Iran-Nexus espionage activity that targets Aerospace, Aviation, and defense industries in multiple countries, including Israel, UAE, Turkey, India, and Albania.
This threat activity is also suspected to be linked with UNC1549 threat actor that has similarities with Tortoiseshell threat group.
The threat actor used several evasion techniques to hide their activity and has been using Microsoft Azure Cloud Infrastructure for social engineering two unique backdoors named MINIBIKE and MINIBUS.
Over 125 command and control Azure subdomains have been discovered in this attack campaign as part of their TTPs.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
According to Mandiant reports, the threat actors’ campaigns were related to a fake recruiting website that contains the MINIBUS payload.
Additionally, this campaign’s evasion method involved using cloud infrastructure for C2, which could be challenging for network defenders to prevent, detect, and mitigate this activity.
The Tortoiseshell threat actor previously used this job-lure campaign.
As of the Attack Lifecycle, several stages of the attack chain were used, which include Spear-phishing with fake job offers in tech and defense-related positions, payload delivery, and installation of payloads on the device for compromising.
The fake job offers website was spread via social media and emails that contained malicious payloads for harvesting credentials.
These payloads were either MINIBIKE or MINIBUS, which have been used since at least 2022.
Once these payloads are installed on the victim’s device, the C2 communication is established through Microsoft Azure Cloud infrastructure, which collects information from the device and provides access.
Moreover, this stage was also found to be using the LIGHTRAIL tunneler. Some of the Azure C2 domains used were
This is a custom C++-based backdoor that is capable of exfiltrating files, command execution, uploading, and establishing communication to the Azure cloud infrastructure.
Once installed, this malware provides full backdoor functionality to the compromised device. The malware consists of three utilities
In addition to the functionalities offered in the MINIBIKE, this malware provides a more flexible code-execution interface and enhanced information-gathering features to the MINIBIKE malware.
This malware contains very few built-in features compared to MINIBIKE. The functionalities of this malware include,
This tunneler has multiple connections with the MINIBIKE and MINIBUS malware, like the code base, Azure C2 infrastructure, and the same targets and victimology. This tunneler uses the open-source utility Lastenzug, a Sock4a proxy.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Vulnerability Assessment and Penetration Testing (VAPT) tools are an integral part of any cybersecurity toolkit,…
Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra…
IntelBroker, a key figure within the dark web's BreachForums, has announced his resignation as the…
A critical vulnerability in Kubernetes, designated as CVE-2024-9042, has been discovered, enabling attackers to execute…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical…
Researchers from the University of Florida and North Carolina State University conducted an extensive analysis…