Rewterz Threat Alert – Iran’s Latest Mint Sandstorm APT Campaign Targets Universities and Research Organizations – Active IOCs

Severity

High

Analysis Summary

The Iran-attributed Mint Sandstorm advanced persistent threat (APT) group has been targeting specialists in Middle Eastern affairs at universities and research institutes using advanced social engineering techniques to infect targeted systems with malware.

The recent espionage campaign conducted by the Mint Sandstorm group steals information from journalists, professors, researchers, and other professionals who work on security and policy topics of interest to the Iranian government. According to a Microsoft advisory, the APT group utilizes lures that are related to the Israel-Palestinian war, making it seem like the threat group intends to collect intelligence and look at perspectives about the conflict from policy experts. Mint Sandstorm is notorious for its persistence and sustained efforts.

The group overlaps with threat actors such as APT35 and Charming Kitten. The latest campaign is believed to be conducted by a subgroup of Mint Sandstorm which seems to be experienced technically and operationally. The operators that work with this subgroup possess good skills in social engineering and have patience, with their phishing emails looking legitimate. In some instances, the group also utilized legitimate but compromised accounts for sending out phishing emails.

Mint Sandstorm carries out reconnaissance and espionage activities regularly against the foes of the Iranian government. A common tactic of the group is pretending to be a known researcher or journalist to target educational institutions. The threat actors usually engage with the targeted user, disguising themselves as an interviewer or wanting to start a conversation about specific topics, and eventually manipulating the email thread to the point that the individual feels confident and convinced to click on a link. When the group successfully manages to steal credentials for an email account, it usually uses it to impersonate a legitimate journalist or researcher.

The phishing email that Mint Sandstorm sends to its victim contains a link to a malicious website leading to an RAR archive file, claimed by the actors to contain a draft document for review. The threat actors eventually drop one of the two custom backdoor malware; MediaPI which acts as Windows Media Player, or MischiefTut which is a tool written in PowerShell.

Mint Sandstorm continues to improve its tools that are used in compromised environments to make detection evasion better and persist in the infected network. Nation-state groups and financially motivated threat actors usually share techniques, so the use of a custom backdoor is notable. What seems to be a targeted, geopolitically motivated attack has the chance to turn into a widespread threat that could end up affecting a larger number of organizations and individuals.

Impact

• Cyber Espionage
• Identity Theft
• Unauthorized Access

Indicators of Compromise

Domain Name:

• east-healthy-dress.glitch.me
• coral-polydactyl-dragonfruit.glitch.me

MD5

• 4d75ed2a0a1016734a561295a49acb83

SHA-256

• f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f

SHA-1

• 5b5a226b906bf83c4f6ef49189f4bde560398edb

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement strong access controls: This includes using multi-factor authentication, strong passwords, and limiting access to sensitive systems and data.
• Regularly patch and update systems: Keeping systems up-to-date with the latest security patches and configurations is essential to prevent known vulnerabilities from being exploited.
• Monitor network activity: This includes using intrusion detection and prevention systems to detect and respond to potential attacks.
• Conduct regular vulnerability assessments: This can help identify and remediate weaknesses in network defenses before they can be exploited by attackers.
• Implement network segmentation: Limiting access to critical systems through network segmentation can help prevent lateral movement by attackers if they gain access to the network.
• Prioritize employee training and awareness: This can help prevent social engineering attacks, such as phishing, which are commonly used by nation-state threat actors to gain access to sensitive systems and data.
• Have an incident response plan in place: This should include regular testing and updating of the plan to ensure that it remains effective in the face of evolving threats.