Iranian APT Lures Defense Contractor in Catfishing-Malware Scam

Fake aerobics-instructor profile delivers malware in a supply-chain attack attempt from TA456.

Most people have probably heard of catfishing. That’s when someone adopts a fake online persona, usually to trick someone into falling in love. Now, threat actors have developed their own spin on the grift, developing appealing — objectively hot — profiles to charm victims into downloading malware.

In a new report, Proofpoint details how the group TA456, associated with the Iranian Revolutionary Guard, invested years in developing the false profile of a fantasy woman named Marcella Flores, an impossibly shiny haired aerobics instructor from the U.K., to rein in unsuspecting targets.

The first signs of Marcella on social media started in 2018, according to Proofpoint’s analysis. Starting about eight months ago, Proofpoint found TA456 used the Marcella Flores profile to slowly build a relationship with someone who worked for a subsidiary of an aerospace defense contractor in the U.S. Over the months, Marcella shared many emails, pictures and even a video to build trust.

“Marcella’s” Facebook profile. Source: Proofpoint.

It wasn’t until early June that the attackers sent an email from Marcella Flores with the malware, the report added.

“Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target,” Proofpoint’s report said, adding the malware is a new iteration of the Liderc malware, which Proofpoint calls Lempo.

TA456 Lempo Malware

Once it gains a foothold in a target’s system, Lempo performs reconnaissance and exfiltrates data to an email account controlled by TA456. Then, it deletes the host artifacts to cover its tracks, the report explained.

As for the attack chain, an Excel macro drops the Lemgo reconnaissance tool and Windows does the rest.

“Leveraging built-in Windows commands it enumerates the host in a variety of ways, records the collected data and then exfiltrates the intelligence to an actor-controlled email account using Microsoft’s Collaboration Data Objects (CDO),” Proofpoint wrote. “CDO, previously known as OLE Messaging or Active Messaging, is an application programming interface included with Microsoft Windows and Microsoft Exchange Server products.”

Lempo collects sensitive domain data, computer and username information, firewall rules, IP config information and tons of other useful stuff that could be used to launch a successful supply-chain attack on the government or various contractors.

In fact, Proofpoint’s Sherrod DeGrippo told Threatpost the fake “Marcella” profile they found was also connected on social media with others who publicly identify themselves as employees of defense contractors.

“TA456’s years-long dedication to significant social engineering, benign reconnaissance of targets prior to deploying malware, and their cross-platform kill chain makes them a very resourceful threat actor and signifies that they must be experiencing success in gaining information that meets their operational goals,” DeGrippo said. “TA456 has demonstrated themselves as one of the most resourceful Iranian-aligned threats tracked by Proofpoint. More broadly, Iranian cyber-espionage groups continue to have success with extensive social-engineering targets.”

Alluring Photos Are a Standard Scammer Tactic

Besides general cybersecurity hygiene and awareness training, DeGrippo advises those who work in sensitive industries — like aerospace and defense — to avoid shoring too much personal information on social media, which could ultimately be used by threat actors to build a detailed personal profile on you for abuse.

Catfishing by cyberattackers isn’t new; in 2020, Hamas was caught taking a classic catfish approach to tempt Israeli soldiers into installing spyware on their phones. Members posed as teen girls who are looking for quality chat time.

Iran-linked threat actors have used similar tactics on LinkedIn and WhatsApp before, targeting industries of geo-political interest to the country, Sean Nikkel, threat intelligence analyst from Digital Shadows told Threatpost.

“Always check out profiles and analyze messages: Pressure to download or open a file is a hallmark of social-engineering attacks,” Nikkel said. “Using an alluring profile picture is also a standard tactic for just about any scammer or phishing attempt on social media. When downloading files from untrusted sources, you should always exercise caution and beware of any user operations, such as enabling content or other macros.”

Unfortunately, there’s no one simple answer to eliminating the risk of these types of sophisticated social-engineering attacks, according to Dirk Schrader from New Net Technologies.

“Threat actors using their version of big data analytics and machine learning to sift through tons of data points of breached information available to them, plus the fact that time is playing to their hand will keep increasing the difficulty to identify a targeted social engineering attack, or even a well-crafted phishing attempt,” Schrader told Threatpost. “Adding the fact that most employees aren’t incentivized to be on alert about these kinds of attacks, the problem will never disappear and any technical control or operation resilience approach has to incorporate this. A device or a configuration can be hardened to reduce the attack surface, data access rules can be enforced to maintain control over who is able to see what kind of information, but the risk itself will remain.”

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.


Suggested articles