伊朗关联的Imperial Kitten网络组织瞄准中东科技行业

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.

一组与伊朗有关的团体于2023年10月针对中东地区的运输、物流和技术行业，包括以色列，在以色列哈马斯战争爆发后展开了网络攻击。

The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.

CrowdStrike将这些攻击归因于其跟踪的威胁行为者，其名称为Imperial Kitten，也被称为Crimson Sandstorm（以前是Curium），TA456，Tortoiseshell和Yellow Liderc。

The latest findings from the company build on prior reports from Mandiant, ClearSky, and PwC, the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.

该公司的最新发现基于Mandiant、ClearSky和PwC的先前报告，后者还详细说明了战略网络妥协（水坑攻击）导致在受感染的系统上部署IMAPLoader的实例。

"The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike said in a technical report. "Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants."

CrowdStrike在一份技术报告中表示：“自2017年以来活跃的对手可能满足与伊朗革命卫队（IRGC）行动相关的伊朗战略情报需求。其活动的特点是利用社交工程，特别是招聘主题的内容，传递定制的基于.NET的植入物。

Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains.

攻击链利用被入侵的网站，主要是与以色列有关的网站，使用定制JavaScript来对访问者进行概要分析，并将信息传送到攻击者控制的域。

Besides watering hole attacks, there's evidence to suggest that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.

除了水坑攻击之外，有证据表明Imperial Kitten还采用一日漏洞的利用、窃取的凭据、钓鱼甚至针对上游IT服务提供商进行初始访问。

Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.

钓鱼活动涉及使用带有宏的Microsoft Excel文档来激活感染链，并且会释放一个连接到硬编码IP地址以接收进一步命令的基于Python的反向Shell。

Among some of the notable post-exploitation activities entail achieving lateral movement through the use of PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.

一些值得注意的后渗透活动包括通过使用PAExec（PsExec的开源变体）和NetScan来实现横向移动，随后传递IMAPLoader和StandardKeyboard植入物。

Also deployed is a remote access trojan (RAT) that uses Discord for command-and-control, while both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send results of the execution.

还部署了一种远程访问木马（RAT），该木马使用Discord进行命令和控制，而IMAPLoader和StandardKeyboard都使用电子邮件消息（即附件和电子邮件正文）来接收任务并发送执行结果。

"StandardKeyboard's main purpose is to execute Base64-encoded commands received in the email body," the cybersecurity company pointed out. "Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service."

网络安全公司指出：“StandardKeyboard的主要目的是执行在电子邮件正文中接收的Base64编码的命令。与IMAPLoader不同，这种恶意软件将作为名为Keyboard Service的Windows服务持久存在于受感染的计算机上。”

The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on October 7, 2023, is more reactive and opportunistic.

这一发展发生在微软指出，自2023年10月7日战争开始以来，归因于伊朗组织的恶意网络活动更具有反应性和机会主义性。

"Iranian operators [are] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations," Microsoft said.

微软表示：“伊朗运营商继续采用他们的老生常谈的战术，特别是夸大他们计算机网络攻击的成功，并通过信息操作的巧妙部署放大这些声称和活动。”

"This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects."

“这实质上是在创造在线宣传，试图夸大机会主义性攻击的声誉和影响，以增加其效果。”

The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.

此披露还跟随着哈马斯附属的威胁行为者Arid Viper已经通过伪装成Skipped和Telegram的武器化应用，利用一种名为SpyC23的Android间谍软件，针对阿拉伯语用户的事实。