Security researchers have uncovered a new scam linked to the Phosphorus APT group. This hacking group has a wide range of skills, from ransomware to targeted spear phishing against high-profile individuals.
Check Point Research (CPR) reports that they are on the trail of a new hacking campaign. This activity cluster was named Educated Manticore, after the manticore creature from Persian mythology, with which the security researchers want to make it clear from the name which nation they suspect is behind the campaign.
State hacker groups from Iran
Sergey Shykevich, Threat Group Manager at Check Point Software Technologies, comments: “In our study, we shed light on the ongoing evolving capabilities of Iranian nation-state hacking groups. Similar to ordinary cyber criminals, who adapt their infection chains to changing IT environments, nation-state hackers are now also using ISO files to circumvent new measures against the infected Office files, which have been popular up to now. However, this player's tools have also improved, indicating Iran's continued investment in expanding its state IT capabilities.”
Phosphorus is a notorious APT (Advanced Persistent Threat) group that operates from Iran, primarily in and against North America and the Arab world. The new group that appears to be associated with Phosphorus uses seldom-seen methods, including .NET binaries built in mixed-mode assembly code. The new campaign mainly consists of phishing against Iraqis and Israelis, using an ISO image file, as many protections against infected Office files, such as supposed Word or Excel documents, have recently been set up by companies and government agencies . Within the ISO file, the documents were kept in Arabic and Hebrew.
Beginning of an infection chain
The security researchers at Check Point suspect that this method is only intended to act as the beginning of an infection chain to open a gateway for malware or ransomware, because: The variant in the ISO files is an update of older malware, and both may be linked to ransomware -Operations of Phosphorus together. For this reason, the experts advise all IT decision-makers to regularly install patches and updates for their security products and applications, to fundamentally train employees (including management) in IT security against threats and to take a consolidated approach when purchasing IT security solutions to prefer instead of buying a proliferation of different individual solutions that work poorly together and thus leave gaps in the defense.
Automated threat detection and response has become essential, as well as automated email monitoring (especially attachments) and email response. This also applies to files and their activities on the computers in the network. Being tied to a threat intelligence cloud also helps tremendously, as it provides real-time threat data and response data from around the world to the security solution, which is controlled centrally.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.