Keypoints
- Between July and October 2023 TA402 ran targeted phishing campaigns delivering a new downloader named IronWind across three delivery variants: Dropbox links to PPAM, attached XLL files, and RAR attachments.
- Initial-stage artifacts (PPAM macro or XLL/RAR delivery) dropped or sideloaded files including version.dll (IronWind/propsys.dll), timeout.exe/tabcal.exe (used to sideload), and gatherNetworkInfo.vbs.
- After initial execution, IronWind performed HTTP GETs to actor-controlled C2 (theconomics[.]net) which returned shellcode; the shellcode used reflective .NET loaders, executed WMI queries, and loaded a .NET payload that leveraged SharpSploit.
- C2 communications used HTTP/HTTPS GETs and POSTs with a unique custom User-Agent string for authentication and JSON responses; Request Inspector was abused for an initial base64-encoded check-in and lightweight exfiltration of system info.
- TA402 consistently used geofencing and decoy documents to evade detection and focused on a very small set of Middle East / North Africa government targets, frequently using compromised Ministry of Foreign Affairs accounts.
- Analysis revealed unsanitized PDB paths revealing a project name “tornado” and function-based build separations (IA, stager, payloads), enabling targeted YARA hunting.
MITRE Techniques
- [T1566] Phishing – Used targeted phishing emails to deliver malicious attachments/links (‘phishing campaign using a compromised Ministry of Foreign Affairs email account’).
- [T1566.001] Spearphishing Attachment – Delivered malicious PPAM, XLL, and RAR attachments to trigger execution (‘attached XLL file’ / ‘RAR file attachment that contained a renamed version of tabcal.exe’).
- [T1204.002] User Execution: Malicious File – Office macro execution in PPAM dropped the initial IronWind components (‘PPAM file contained a macro that dropped three files’).
- [T1574.001] DLL Side-Loading – Actors sideloaded IronWind via legitimate binaries (timeout.exe/tabcal.exe used to sideload IronWind) (‘timeout.exe was used to sideload IronWind’).
- [T1047] Windows Management Instrumentation – Shellcode used reflective .NET loaders to run WMI queries for discovery (‘shellcode used reflective .NET loaders to conduct WMI queries’).
- [T1055] Process Injection – Use of reflective .NET loaders and shellcode to load additional code into memory (‘shellcode used reflective .NET loaders’).
- [T1071.001] Application Layer Protocol: Web Protocols – IronWind used HTTP/HTTPS GET and POST to actor-controlled C2 domains for command, control, and payload delivery (‘IronWind sent an HTTP GET request to a known TA402 C2 domain, theconomics[.]net’).
- [T1041] Exfiltration Over C2 Channel – Initial check-ins and data exfiltration used third-party endpoints and base64-encoded payloads (‘base64 encoded check in to Request Inspector … to exfiltrate some system information’).
- [T1078] Valid Accounts – Phishing emails originated from and reused compromised legitimate Ministry of Foreign Affairs email accounts (‘compromised Ministry of Foreign Affairs email account’).
- [T1027] Obfuscated Files or Information – Use of base64 encoding for check-ins and layered stages to conceal payloads (‘sent a base64 encoded check in to Request Inspector’).
Indicators of Compromise
- [SHA256] Malware binaries – 9b2a16cbe5af12b4…31f47, 5d773e734290b936…79160, and multiple other hashes (dozens of stage payload hashes listed in original report).
- [Domain | IP (C2)] Command-and-control – theconomics[.]net (191.101.78[.]189), inclusive-economy[.]com (actor C2 domains observed in 2023 campaigns).
- [Domains] Additional actor infrastructure – healthcaption[.]com (observed as associated domain used in campaigns).
- [File Names] Delivered/sideloaded filenames – version.dll (IronWind), propsys.dll (IronWind), timeout.exe / tabcal.exe (used for sideloading), gatherNetworkInfo.vbs.
- [PDB paths] Build metadata useful for hunting – C:UsersWinDesktopRenoNewTor…tornado…, K:prjWIPC# – PayloadClient-Side…KALV.pdb (unsanitized PDB paths revealing project name “tornado”).
TA402’s infection chains begin with highly targeted phishing messages that deliver one of three initial vectors: a Dropbox link to a PPAM (PowerPoint Add-in) with a macro, an attached XLL, or a RAR archive containing a renamed executable. The PPAM macro and the other attachment forms drop multiple components—version.dll/propsys.dll (IronWind), a launcher binary (timeout.exe or a renamed tabcal.exe), and gatherNetworkInfo.vbs—with the launcher used to sideload the IronWind DLL into a running process.
Once sideloaded, IronWind performs an HTTP GET to a TA402 C2 (for example theconomics[.]net), where the server responds with shellcode. That shellcode uses reflective .NET loading techniques to execute in-memory, runs WMI queries for discovery, and acts as a multipurpose loader to fetch a .NET payload that leverages SharpSploit for post-exploitation. Subsequent C2 traffic is over HTTP/HTTPS using JSON responses and a distinctive custom User-Agent string for authentication, and the actor used Request Inspector endpoints with base64-encoded check-ins to collect and exfiltrate basic system information.
Across the July–October 2023 timeframe TA402 modified delivery to evade detection (moving from Dropbox to XLL and RAR attachments), continued geofencing and decoy-host redirects to filter victims, and leaked development artifacts (PDB paths) indicating a project name “tornado” and separated build areas for IA, stager, and payloads — details Proofpoint packaged into YARA indicators for hunting and detection.