Proofpoint computer security researchers have discovered a new phishing campaign launched by hackers working for the Iranian government. These operators have come up with a new trick to trick users into downloading malicious attachments.
Phishing, or phishing in Molière’s parlance, remains one of the methods most commonly used by hackers to access user data. Recent examples are missing, such as this large-scale Outlook phishing campaign that was able to bypass double authentication.
Another example: in late July 2022, a cybersecurity team discovered a phishing campaign that used a virus in the Windows Calculator. However, just this Wednesday, September 14, 2022, we learned that Proofpoint computer security experts have discovered a new phishing campaign.
According to them, we find at the origins of this operation members of the TA453 group, pirates who may be associated with the Iranian Islamic Revolutionary Guard Corps. The technique behind this campaign is nothing more than a “sock puppet”. In short, hackers communicate via e-mail, including their victims in a blind copy. Target? Force them to download attachments containing malicious files.
New type of phishing campaign
But let’s take a closer look at the procedure: hackers create multiple fake email accounts by stealing the identities of scientists, executives, or company directors. They then send an email to the accomplice, giving the victim a blind copy. The conversation then continues, and the hackers are sure to bring up sensitive topics to pique the victim’s curiosity.
From his point of view, the victim thinks he is stuck in the middle of an email thread that is not meant for him. After several days of discussion, an attachment is sent to the rest of the participants. If the victim downloads and runs it on their terminal, they get a .DOCX file full of dangerous macros.
See also: Hackers stole millions of euros by hacking peer-to-peer sales sites
“The downloaded template, named Proofpoint Korg, contains three macros: Module1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as the username, the list of running processes, as well as the public IP address of the user from my-ip.io, and then extract this information using the Telegram API,” the researchers explain.
What is of particular concern to Proofpoint is that all of the emails used in this attack originate from major email providers such as Gmail, Outlook, and Hotmail. So be careful if you suddenly find yourself in an email conversation led by strangers.