The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Iran state-sponsored hackers have been exposed again. Green Leakers spread info on MuddyWater and Tehran’s ministry of Intelligence cyber espionage operations via RANA Institute
Iran state-sponsored hackers have been exposed again. This in two leaks, published via Telegram channels, sites on the Dark Web and Internet by the Green Leakers. They contain images of the source code of unknown origins, command and control server backends, and lists of past hacking victims by Tehran’s cyber spies. Some of them are related to MuddyWater APT. Others to “secret” documents created by the Iranian Ministry of Intelligence, which reveal that the Regime hired the Rana Institute as a contractor for cyber-espionage operations. The data were verified by ClearSky cyber security experts. They wrote in a report that “documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems”. They “shed light on some aspects of the group’s activity, notably: tracking Iranians, tracking Iranian citizens outside of Iran, and the group’s members.”
The RANA project to develop malware capable of damaging SCADA industrial control failed. Meanwhile, recently Lab Dookhtegan revealed source code of APT34 malware
According to the cyber security experts, the RANA Institute hackers were asked to develop malware capable of damaging SCADA industrial control. But ClearSky said the project was “unsuccessful… despite a large budget”. These latest leaks come only shortly after someone revealed the source code of several malware strains linked to Iranian government-backed cyber-espionage group APT34 (aka Oilrig and HelixKittem) last month. According ZDNet, the tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym. He also published what appears to be data from some of APT34’s hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages.