Suspected Iranian hacker looks to steal Gmail, Instagram credentials
An Iranian threat actor discovered earlier this year is responsible for attacks against U.S. targets designed to hoover up Gmail and Instagram credentials, according to research released Wednesday by security firm SafeBreach.
While the actor was originally exposed in September, further analysis by the company found phishing attacks that stretched back to July. Almost half of the phishing campaign’s victims are located in the United States.
The research also uncovered the PowerShell code, which researchers dubbed PowerShortShell, that attackers used to pilfer a range of critical data from victims, such as screenshots and Telegram files.
PowerShortShell was typically delivered via Office documents sent via email, with lures like pictures of Iranian soldiers and evidence of the 'Corona massacre' performed by Iran's supreme leader.
SafeBreach said the documents exploited the CVE-2021-40444 vulnerability to drop the malicious PowerShell code, which then gathered data from the infected computer.
Researchers said the actor could be linked to Tehran’s regime “since the Telegram surveillance usage is typical of Iran's threat actors like Infy, Ferocious Kitten and Rampant Kitten,” they said, referring to other Iranian hacking groups that various researchers have unmasked in recent years.
Malicious actors with links to Iran have relied on social media for most of their phishing operations for years.
One of the most recent instances occurred in July, when Facebook revealed that a group of Iranian hackers targeted U.S. military personnel through a "well-resourced and persistent operation" to trick them into providing sensitive information as part of a broader online espionage campaign.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.