Mint Sandstorm: 伊朗黑客组织伪装记者窥探以色列哈马斯战争专家

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mint Sandstorm since November 2023.

在比利时、法国、加沙、以色列、英国和美国的大学和研究机构从事中东事务的知名人士自2023年11月以来一直受到一个名为Mint Sandstorm的伊朗网络间谍组织的攻击。

The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a "technically and operationally mature subgroup of Mint Sandstorm."

微软威胁情报团队在周三的分析中表示，这个威胁行为者“使用定制的网络钓鱼诱饵，试图社会工程化目标，诱使其下载恶意文件。”他们将这个组织描述为“Mint Sandstorm的技术和操作成熟的分支。”

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

在某些情况下，这些攻击涉及使用一个名为MediaPl的先前未记录的后门，这表明伊朗威胁行为者正在努力完善他们的入侵后技术。

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It's assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).

Mint Sandstorm，又称为APT35、Charming Kitten、TA453和Yellow Garuda，以其熟练的社会工程活动而闻名，甚至利用合法但遭到破坏的账号向潜在目标发送定制的网络钓鱼邮件。它被认为隶属于伊朗的伊斯兰革命卫队（IRGC）。

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

根据微软透露的信息，该次入侵事件涉及使用资源密集型社会工程活动来针对记者、研究人员、教授以及对德黑兰的安全和政策问题有深入了解的其他人。

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

最新的入侵集中于与以色列-哈马斯战争相关的诱饵，发送普通的电子邮件，伪装成记者和其他知名人士，与目标建立联系并建立一定的信任，然后试图向目标传送恶意软件。

Microsoft said it's likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

微软表示，该次活动很可能是伊朗国家威胁行为者收集与战争相关事件观点的努力。

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mint Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

利用所寻求冒充的人的被盗账户发送电子邮件消息以及使用curl命令连接到命令与控制（C2）基础架构，这是Mint Sandstorm之前未见的新策略。

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets' environments.

如果目标与威胁行为者互动，他们将收到一个包含恶意链接的跟进电子邮件，该链接指向一个RAR存档文件，一旦打开，就会从C2服务器中检索Visual Basic脚本，以在目标环境内持续存在。

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

该攻击链进一步为像MischiefTut或MediaPl之类的自定义植入物铺平了道路，前者是微软在2023年10月首次披露的。

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MischiefTut是用PowerShell实施的基本后门，能够运行侦察命令，将输出写入文本文件，并在受损系统上下载其他工具。该恶意软件的首次记录使用可追溯到2022年后期。

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

另一方面，MediaPl伪装成Windows Media Player，旨在将加密通信发送到其C2服务器，并执行它从服务器收到的命令。

"Mint Sandstorm continues to improve and modify the tooling used in targets' environments, activity that might help the group persist in a compromised environment and better evade detection," Microsoft said.

微软表示，“Mint Sandstorm继续改进和修改用于目标环境的工具，这些活动可能有助于使该组织在受损环境中持续存在并更好地躲避检测。”

"The ability to obtain and maintain remote access to a target's system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system."

“获取和保持对目标系统的远程访问能力可以使Mint Sandstorm进行一系列可能对系统机密性产生不利影响的行动。”

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.

此外，就在本月初，荷兰报纸De Volkskrant披露，由以色列和美国情报机构招募的荷兰工程师Erik van Sabben可能曾使用水泵在2007年的伊朗核设施中部署了现在臭名昭著的Stuxnet恶意软件的早期变种。