IRGC Phishing Campaign (Scam) – Malware

Overview

The Iranian government-backed cyber espionage group, APT42, linked to the Islamic Revolutionary Guard Corps (IRGC), has ramped up its phishing campaigns in 2024, primarily targeting individuals and organizations in Israel and the United States. This group has become notorious for its highly sophisticated and persistent attacks aimed at obtaining sensitive information from high-profile individuals with connections to politics, military, and defense sectors. APT42’s tactics focus on using social engineering methods to exploit trust and manipulate targets into revealing their login credentials. By mimicking legitimate organizations and institutions, the group crafts convincing phishing emails and malicious websites that appear to be credible.

The IRGC’s cyber operations have long been part of Iran’s broader efforts to advance its geopolitical agenda, and the recent uptick in phishing attacks reflects an increasing emphasis on gathering intelligence and disrupting the political and military activities of its adversaries. APT42’s campaigns have focused not only on Israeli government officials, military personnel, and diplomats but also on U.S. figures tied to the presidential election process. This includes attempts to breach accounts of political consultants, campaign staff, and government officials affiliated with both major U.S. political parties.

Targets

Public Administration

Information

Individuals

How they operate

One of the primary methods APT42 utilizes is domain impersonation, where they create websites and email addresses that closely resemble legitimate institutions and organizations. This technique, often referred to as typosquatting, involves the registration of domain names that are nearly identical to those of trusted entities, with slight variations designed to deceive the victim into thinking the source is legitimate. For example, APT42 has used domains like understandingthewar[.]org to impersonate the Institute for the Study of War, aiming to target U.S. military personnel. Similarly, domains like brookings[.]email were used to impersonate the Brookings Institution to target Israeli and U.S. entities, particularly in political and defense sectors.

APT42 also makes extensive use of social engineering to build trust and increase the likelihood of success. Their phishing emails often masquerade as benign, legitimate communication, such as a journalist seeking comment or a political petition. This tactic aims to engage targets in conversation or interaction, laying the groundwork for more malicious actions. Once the victim is drawn into the conversation or clicks a malicious link, they are directed to phishing pages that mimic trusted platforms like Google Drive, Dropbox, or OneDrive. These pages often prompt the victim to enter their login credentials, thereby stealing them for further exploitation.

Moreover, APT42 has adopted cloud service abuse as part of their attack vector, leveraging legitimate cloud platforms like Google Sites to host malicious content. This enables the attackers to bypass traditional detection methods, as the URLs appear to be hosted by trusted services. For instance, one of the group’s phishing campaigns in 2024 involved using Google Sites to host a fraudulent petition linked to the Jewish Agency for Israel, which encouraged users to click a malicious link. This method not only enhances the credibility of the attack but also allows APT42 to redirect victims to their phishing landing pages via ngrok, a legitimate service that can be used to redirect traffic to attacker-controlled domains.

APT42’s phishing campaigns often feature highly tailored content designed to appeal to the specific targets. In one instance, the group targeted Israeli diplomats, military officials, and academics by impersonating an aerospace executive and requesting a comment on recent air strikes. Such personalization increases the likelihood of the victim trusting and engaging with the malicious emails, making these attacks difficult to differentiate from legitimate communication.

To further complicate the detection process, APT42 continuously changes its infrastructure and attack patterns. When a phishing attempt is detected or disrupted, the group swiftly adapts by creating new domains or shifting to different tactics. For example, after their domains are flagged, APT42 quickly registers new ones, continuing their phishing activities with minimal disruption. Additionally, Google has reported actively disrupting APT42’s malicious infrastructure, blocking compromised accounts, and implementing enhanced defenses like Safe Browsing blocklists to thwart their campaigns.

References:

• Iranian backed group steps up phishing campaigns against Israel, U.S.