Rewterz Threat Alert – UNC788, Unreported Hacking Group, and Hybrid Operations – Active IOCs

Severity

High

Analysis Summary

UNC788

Iran-based nation-state threat group called Phosphorus (aka UNC788, TA453, COBALT ILLUSION, Charming Kitten, Newscaster, Magic Hound, and APT35) that has been active since at least 2014. The threat group conducts cyberattack against adversaries with Iran’s Islamic Revolutionary Guard Corps. The group uses novel techniques to evade detection using malicious PowerShell scripts. It operates as a remote access backdoor installed through these malicious scripts to further download malware payloads. With multi-staged and modular toolkits, the Phosphorus toolkit becomes a stealthy threat against enemies of Iran. The group has developed compromised apps by copying original apps from the play store. These apps include a birthday calendar app and an android app disguised as a Quran app. Meta refers to this as “HilalRat” as “Hilal” was mentioned in the malware samples.

Unreported Hacking Group

A previously unreported Iran-based hacking group has been identified by security researchers. The group is targeting IT industry in UAE (United Arab Emirates) and India and the energy sector of Canada, Saudi Arabia, Russia, and Italy. Telecommunication industry in Saudi Arabia and UAE is also being targeted. Other victim countries include Germany, Israel, Norway, Iceland, and US. The group uses social media platforms to post as recruiters for fake organizations. They used these job themed lures to trick people into clicking on malicious links or installing malware. The malware used by the group is s disguised as a salary calculator, VPN app, chat app, or audio book reader. These RATs are able to take screenshots, execute additional malware, and send files.

Hybrid Operation in Azerbaijan

Journalists, democracy activists, and government critics from Azerbaijan were victim of cyber espionage and coordinated inauthentic behaviour. The attackers lacked sophistication and researchers claim that they were run by the Azeri Ministry of Internal Affairs. Their goal was to gather information and promote a different narrative from the victims

Impact

• Unauthorized Access
• Sensitive Data Theft
• Cybe Espionage

Indicators of Compromise

Domain Name

• bnt2[.]live
• signin[.]dedyn[.]io
• apply-jobs[.]com
• applytalents[.]com
• analyzeryandex[.]000webhostapp[.]com

MD5

• aa7330d2d360cac61394843d8af730bb
• ab533be4ff9c99e8a03bc4cd413badb6

SHA-256

• 0aec13f808451745f9275d8e317fb8d3fe2fb82509367b521da448ff10d35fb8
• c5ebd12a843f379cb69c0be08b41985a332461bca3c6139f9750b16475219f13

SHA-1

• ad9fb732dec41f67c17cab1d0817dc7437aed0e1
• 1501005d8285fb2a356d64c53b145df1ba56c0d1

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/ attachments sent by unknown senders.