Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials

Bitdefender Total Security Buy

A threat actor from Iran is responsible for a wave of phishing attacks that deploy malware and steal various private data, security researchers have discovered.

Phishing campaigns are often very decentralized, meaning they originate from multiple sources and countries. Identifying a particular threat actor is difficult, but it’s not impossible, especially when that actor does more than just spread a regular phishing campaign.

SafeBreach security researchers took a closer look at an Iranian threat actor originally identified in September 2021, but it turns out he was active long before that. He was targeting Farsi-speaking victims, mostly in the US.

“Almost half of the victims are located in the United States,” said the researchers. “Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime.”

Victims receive an email with a Word file attached. If the user opens the file, a malicious HTML drops a DLL file in the system. That DLL eventually runs a powerful PowerShell script that can exfiltrate a lot of data.

Some of the stolen information contains system details, such as the configuration, IP address, and more. The script even downloads all documents it finds, whether Office, PDF or TXT. The attackers also download Telegram, Instagram, and Gmail files and credentials.

Security researchers determined the source of the attacks and the main targeted countries. They also published the script’s source code, along with all relevant indicators of compromise.