The Iranian and Nexus groups are linked to “coordinated” and “multiwave” spear fishing campaigns targeting embassies and consulates in Europe and other regions around the world.
The activity stems from operators lined with Iranians associated with the broader range of offensive cyber activities carried out by a group known as the National Judiciary, due to the dream of Israeli cybersecurity companies.
“The emails were sent to multiple government recipients around the world, disguised as legitimate diplomatic communications,” the company said. “The evidence points to a wider range of local espionage targeting diplomatic and government groups during a period of growing geopolitical tensions.”
The attack chain involves the use of spear phishing emails, which include themes related to geopolitical tensions between Iran and Israel, prompting recipients to “enable content” to perform the embedded visual basics of application (VBA) macros responsible for loading and administration of malware when opened.
Dream-by-dream email messages are sent to embassies, consulates and international organizations in the Middle East, Africa, Europe, Asia and the US, suggesting that activities throw wide phishing nets. European embassies and African organizations are said to have been the most heavily targeted.
Digital Missive was sent from 104 unique compromised addresses belonging to staff and pseudo-government agencies, providing an extra layer of reliability. At least some of the emails come from hacked mailboxes (*@fm.gov.om) belonging to the Oman Foreign Ministry in Paris.
“Lure content consistently utilized the common practice of referring to urgent MFA communications, communicating authority and ensuring macros have access to the content, a feature of well-planned spying activities that are intentionally masked attribution,” Dream said.
The ultimate goal of the attack is to use VBA Macro to deploy an executable that can establish persistence, contact a command and control (C2) server, and harvest system information.
Cybersecurity firm Clearsky detailed several aspects of the campaign later last month, saying the phishing emails were sent to multiple foreign ministries.
“Similar obfuscation techniques were used by Iranian threat actors when targeting Albania’s Mojahedin et Kalk in 2023, noted in X’s post.
Source link
