Mint Sandstorm (PHOSPHORUS) has refined its tradecraft, weaponizing new-day vulnerabilities and conducting targeted phishing to access high-value targets in energy and transportation sectors. The group develops bespoke tooling (Drokbk, Soldier, CharmPower) and operates with mature, repeatable attack chains, prompting Microsoft to publish detections and mitigations. #MintSandstorm #PHOSPHORUS
Keypoints
- Mint Sandstorm is the Microsoft name for PHOSPHORUS, an Iranian nation-state actor linked to IRGC.
- The subgroup rapidly weaponizes publicly known vulnerability PoCs to access internet-facing apps (e.g., CVE-2022-47966, CVE-2022-47986, Log4Shell).
- Two primary attack chains describe their methods: Chain 1 uses Impacket, PowerShell for discovery, and SSH tunnels; Chain 2 uses Impacket, webhook.site for C2, scheduled tasks, and custom malware (Drokbk, Soldier).
- They deploy custom implants (Drokbk and Soldier) hosted via Mint Sandstorm GitHub repos with domain rotators to evade takedowns.
- A separate, targeted phishing branch uses template injection and CharmPower to deliver a modular PowerShell backdoor.
- Mitigations focus on hardening internet-facing assets, patching known N-day vulnerabilities, enabling attack surface reduction, and leveraging Defender and TI mapping for detections.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Rapidly weaponized publicly disclosed PoCs to exploit internet-facing apps; e.g., “began exploiting CVE-2022-47966 in Zoho ManageEngine… the same day the POC became public.”
- [T1059.001] PowerShell – Deploys a custom PowerShell script for discovery; “custom PowerShell script designed for discovery.”
- [T1021] Lateral Movement – “The Mint Sandstorm subgroup proceeds using Impacket to move laterally through a compromised organization…”
- [T1572] Protocol Tunneling – Uses an SSH tunnel for command and control.
- [T1003] Credential Dumping – Final objective often involves theft of the Active Directory database to access credentials.
- [T1071.001] Web Protocols – Webhook.site used for C2 communications.
- [T1053] Scheduled Task – Creates scheduled tasks for persistence in Chain 2.
- [T1221] Template Injection – Low-volume phishing with template injection delivering macro-enabled dotm templates via OneDrive.
- [T1566.001] Phishing: Spearphishing Link – Targeted phishing with OneDrive links to PDF/doc templates.
- [T1105] Ingress Tool Transfer – Drokbk backdoor retrieves C2 URLs from a GitHub README via web requests.
- [T1033] Account Discovery – PowerShell discovery steps include enumerating admin accounts and enabling RDP.
- [T1059.001] PowerShell – CharmPower backdoor delivered via phishing campaigns relying on template injection.
Indicators of Compromise
- [File name] – Soldier.exe, Drokbk.exe, and 4 more files (e.g., NY.docx.docx, Abraham%20Accords%20Du.[.]docx, DocTemplate.dotm, DntDocTemp.dotm)
- [SHA-256] – ad55b4a40f9e52682d9d4f069914e09c941e8b77ca7b615e9deffccdfbc54145, 64f39b858c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac90f841b, and 2 more hashes
- [Domain] – sync-system-time[.]cf, update-windows-security[.]tk, and 2 more domains
- [IP address] – 54.39.202[.]0, 51.89.135[.]15, and 2 more IPs