The Iranian government hackers have been attacking Israeli IT and communication companies in an attempt to steal sensitive information. This attack is likely part of a strategy to target other targets’ networks, researchers said.
The group behind the espionage campaigns is believed to be Iranian Siamesekitten (aka Hexane and Lyceum). They have been active since at least 2018.
In May and July, the hackers behind various attacks used social engineering techniques to infect machines with an updated version of the malware known as Milan and Shark. The goal was to gain remote access to the infected systems.
In one case, the hackers used the fake LinkedIn profile impersonating a former employee at technology company ChipPC to attack the victims.
Security researchers at a security company ClearSky say that the Siamesekitten actors used a fake profile to infect users with DanBot RAT via job offer-related messages. Their goal was to steal data for espionage purposes and try to spread around the network.
The researchers say that while the threat actor’s interest seems to have shifted from the Middle East to Israel, the country’s companies are just a means to getting to the real targets.
“We believe that these attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. According to our assessment, the group’s main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware,” said ClearSky.
ClearSky found two sites used by Siamesekitten in its cyberespionage campaigns.
One site mimics the website of a German software company Software AG and the other – the website of ChipPc. The victims are then asked to download an Excel file that contains the alleged job offer details. The two files contain password-protected macros that start an infection chain by extracting a malicious backdoor, MsNpENg.
The researchers observed that in May, Siamesekitten used a backdoor version called Milan, written in C++, while in July, they used Shark, written in .NET.
The full ClearSky‘s report contains detailed information on the variants used by attackers and also provides attacker’s IP addresses, email addresses, and more.