216.73.217.22

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

· Published 30/09/2024 10:45 · Modified 30/09/2024 10:52

Export JSON

Essential information

Published
30/09/2024 10:45
Modified
30/09/2024 10:52
Tags
2024-09-30 credential-theft impersonation iran phishing political campaigns social engineering two-factor authentication
Related entities
65 observables, 1 intrusion sets (apt), 11 techniques (mitre), 5 others

Description

Cyber actors working for 's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use techniques, impersonating contacts or email providers to gain access to personal and business accounts. The actors attempt to build rapport before sending malicious links to capture credentials. Targets may be prompted to provide codes or interact with phone notifications. Recent activity has also focused on persons associated with US . The cyber actors tailor their approach to include areas relevant to the target, such as interview requests, conference invitations, or foreign policy discussions. Indicators of compromise include suspicious logins, creation of message forwarding rules, and exfiltration of messages.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (65)

  • covid19questionnaire.freesite.vip
  • verificationservice.online
  • uani.us
  • tinyurl.live
  • tinyurl.ink
  • tinyurl.co.il
  • summit-files.com
  • sharefilesonline.live
  • shared-files-access.live
  • safeshortl.ink
  • redirect-drive.online
  • qmaiil.ml
  • on-dr.com
  • myconnect-support.com
  • mofa-ic.ae
  • mfa-ic.ae
  • mailerdaemon.info
  • mailer-support.online
  • mailer-daemon.site
  • mailer-daemon.org
  • mailer-daemon.online
  • mailer-daemon.net
  • mailer-daemon.me
  • mailer-daemon.live
  • mailer-daemon-message.co
  • lst-accurate.com
  • lovetoflight.com
  • gm-sup.com
  • linkauthenticator.online
  • gl-sup.online
  • gettogether.quest
  • gdrive-files.com
  • g-shorturl.com
  • freshconnect.live
  • freahman.online
  • filetransfer.club
  • email-protection.online
  • file-access.com
  • dr-sup.live
  • dreamycareer.com
  • doctransfer.online
  • docfileview.org
  • discovery-protocol.ml
  • direct-access.info
  • de-ma.online
  • daemon-mailer.com
  • cutly.vip
  • cutly.biz
  • css-ethz.ch
  • continuetogo.me
  • bytli.us
  • boom-boom.ga
  • atlantic-council.com
  • accurateprivacy.online
  • accunt-loqin.ml
  • accessverification.online
  • accesscheckout.online
  • 3dconfirrnation.com
  • 3dauth.live
  • youtransfer.live
  • washingtonlnstitute.org
  • mailer-daemon.us
  • litby.us
  • email-daemon.site
  • bitly.org.il

Intrusion sets (APT) (1)

Techniques (MITRE) (11)

  • T1585
    Establish Accounts
  • T1589
    Gather Victim Identity Information
  • T1586
    Compromise Accounts
  • T1534
    Internal Spearphishing
  • T1136
    Create Account
  • T1531
    Account Access Removal
  • T1114
    Email Collection
  • T1598
    Phishing for Information
  • T1584
    Compromise Infrastructure
  • T1566
    Phishing
  • T1078
    Valid Accounts

Others (5)

  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Media
  • NGO
  • Government

External references