APT Group Uses Catfish Technique To Ensnare Victims

APT Cobalt Gypsy or OilRig, used a fake persona called “Mia Ash” to ensnare tech-savvy workers in the oil and gas industry into downloading PupyRAT malware.

LAS VEGAS–Meet Mia Ash, a 20-something London-based photographer, amateur model, social media butterfly with a keen interest in tech-savvy guys with ties to the oil and gas industry.

You guessed it. Mia Ash doesn’t exist. Ash, according to Dell SecureWorks Counter Threat Unit, is a virtual persona stitched together by the APT known as Cobalt Gypsy, OilRig, TG-2889 and Twisted Kitten. It is believed to have ties to the Iranian government and has been targeting telecommunications, government, defense, oil and financial services firms located in the Middle East and North Africa.

SecureWorks researchers say Ash is an unusually well developed persona that has been curated for years. Her goal is to befriend men working in desirable positions within and connected to energy-sector firms. The goal is to infect the target’s computer with the remote access tool, PupyRAT.

Today during Black Hat, SecureWorks released a report on Ash titled “The Curious Case of Mia Ash: Cobalt Gypsy Uses Social Media to Lure Victims.”

Allison Wikoff, intelligence analyst for Dell SecureWorks, said Cobalt Gypsy’s elaborate ploy came to light in January when it observed an unsuccessful phishing campaign targeting Saudi Arabian organizations doing business in the Middle East and North Africa.

“When the initial campaign failed, Cobalt Gypsy turned its focus to a highly focused campaign using the fake persona of Mia Ash to establish relationships with employees inside targeted organizations,” Wikoff said.

That persona was crafted across LinkedIn, Facebook, WhatsApp, Blogger and sites such as DeviantArt, an online artwork, videography and photography community. Sources of information used to build Ash’s backstory were cut-and-pasted from a number of places. A LinkedIn profile was appropriated from a United States-based photographer. Her Facebook and DeviantArt page were updated regularly with images from several social media accounts belonging to a Romanian photographer who had no idea of the charade.

“They not only built a LinkedIn profile, but created a more personal persona using a host of social media platforms baiting targets with sex appeal. It’s catfishing. Back in the day counter intelligence efforts had to use real female spies to lure the information from male operatives. But now they can use a virtual female,” Wikoff said.

Over the course of years, the Ash profiles were actively updated and had attracted a mix of social followers and professional connections that included both photography enthusiast and non-photography profiles tied to energy sector jobs.

“The non-photography endorsers were located in the Saudi Arabia, United States, Iraq, Iran, Israel, India and Bangladesh working for technology, oil/gas, healthcare, aerospace and consulting organizations. These connections were mid-level employees in technician (mechanical and computer) or project managerial type roles with job titles including: technical support engineer, software developer and system support,” according to the report.

Researchers say that while Ash had thousands of connections, the persona focused primarily on 30 men. However, at the time of SecureWorks most recent research, it observed two specific victims singled out by Ash.

That victim came to light in February only after he opened an Excel document attachment sent by Ash that included the PupyRAT malware in file named “Copy of Photography Survey.xlsm.” The malware did not execute, and SecureWorks was asked to investigate the incident.

Researchers said Ash had more success previously when targeting a similar victim. That victim, a cybersecurity professional working for a consulting agency with ties to an energy sector company, had a year-long relationship with Ash. The victim even went as far as assisting Ash in registering domain names for a photography website. SecureWorks said, unlike the proceeding victim, this target was likely compromised by PupyRAT.

Fake profiles are nothing new for advanced persistent threat groups, including Cobalt Gypsy. Wikoff said that it observed in 2015 the group creating dozens of fake LinkedIn profiles pretending to be job recruiters. But she said that the Ash profile went far beyond what they had seen in the past, with threat actors paying meticulous attention to updating social media feeds and going to great lengths to become entwined with victims on a personal level.

“What we observed is that these threat actors, when they had an unsuccessful phishing campaign, were willing to try a very targeted way to get into an environment,” Wikoff said. “What it demonstrates is how these advanced persistent threats are willing to do more one-on-one interactions with their targets in order to achieve their objectives.”

The SecureWorks Counter Threat Unit said with “high confidence” it believes the group Cobalt Gypsy is associated with Iranian government-directed cyber operations. “Specifically, this group has been observed launching espionage campaigns against organizations that are of strategic, political or economic importance to Iranian interests,” it stated in its report.

Suggested articles