Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms.
Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores.
It is a threat actor linked to the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces, and has been active since at least 2017 carrying out cyberattacks against organizations in various sectors, including defense, technology, telecommunications, maritime, energy, and consulting and professional services.
The recent attacks were discovered by researchers at cybersecurity company CrowdStrike, who made the attribution based on infrastructure overlaps with past campaigns, observed tactics, techniques, and procedures (TTPs), the use of the IMAPLoader malware, phishing lures.
Imperial Kitten attacks
In a report published earlier this week, researchers say that Imperial Kitten launched phishing attacks in October using a ‘job recruitment’ theme in emails carrying a malicious Microsoft Excel attachment.
When opening the document, the malicious macro code within extracts two batch files that create persistence through registry modifications and and run Python payloads for reverse shell access.
The attacker then moves laterally on the network using tools like PAExec to execute processes remotely and NetScan for network reconnaissance. Additionally, they employ ProcDump to obtain credentials from the system memory.
Communication with the command and control (C2) server is achieved using the custom malware IMAPLoader and StandardKeyboard, both relying on email to exchange information.
The researchers say that StandardKeyboard persists on the compromised machine as the Windows Service Keyboard Service and executes base64-encoded commands received from the C2.
CrowdStrike co ..
Support the originator by clicking the read the rest link below.
