Iranian MOIS Actors & the Cyber Crime Connection

MITRE Techniques

• [T1566 ] Phishing – Used to deliver infostealers and wipers in targeted lures; quote: ‘…pairing it with one of its custom wipers in phishing lures aimed at Israeli targets, most dominantly impersonating F5 updates.’
• [T1059 ] Command and Scripting Interpreter – JavaScript runtimes (Node.js and Deno) used to execute code on compromised hosts; quote: ‘…when the Node.js engine is detected, the botnet shifts to an alternative execution method using Deno…’
• [T1105 ] Ingress Tool Transfer – Downloaders used to deliver secondary payloads (e.g., FakeSet delivering CastleLoader); quote: ‘…a downloader used in recent infection chains delivering CastleLoader.’
• [T1553 ] Subvert Trust Controls (Code Signing) – Use of code-signing certificates to sign malware and evade detection; quote: ‘…use of a set of code-signing certificates, specifically under the Common Names “Amy Cherne” and “Donald Gay”.’
• [T1567 ] Exfiltration Over Web Service / Cloud Storage – Use of rclone to access a Wasabi server for storage or transfer of data; quote: ‘…the use of rclone to access a Wasabi server…’
• [T1588 ] Obtain Capabilities – Leveraging Malware-as-a-Service and affiliate models (e.g., CastleLoader, Qilin) to obtain tooling and operational support; quote: ‘CastleLoader operates as a Malware-as-a-Service offering used by multiple affiliates.’
• [T1485 ] Data Destruction – Employment of wiper malware in disruptive attacks and hack-and-leak operations; quote: ‘…most commonly associated with “hack and leak” operations and disruptive attacks, particularly wiper operations.’