Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms.
Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores.
It is a threat actor linked to the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces, and has been active since at least 2017 carrying out cyberattacks against organizations in various sectors, including defense, technology, telecommunications, maritime, energy, and consulting and professional services.
The recent attacks were discovered by researchers at cybersecurity company CrowdStrike, who made the attribution based on infrastructure overlaps with past campaigns, observed tactics, techniques, and procedures (TTPs), the use of the IMAPLoader malware, phishing lures.
Imperial Kitten attacks
In a report published earlier this week, researchers say that Imperial Kitten launched phishing attacks in October using a ‘job recruitment’ theme in emails carrying a malicious Microsoft Excel attachment.
When opening the document, the malicious macro code within extracts two batch files that create persistence through registry modifications and and run Python payloads for reverse shell access.
The attacker then moves laterally on the network using tools like PAExec to execute processes remotely and NetScan for network reconnaissance. Additionally, they employ ProcDump to obtain credentials from the system memory.
Communication with the command and control (C2) server is achieved using the custom malware IMAPLoader and StandardKeyboard, both relying on email to exchange information.
The researchers say that StandardKeyboard persists on the compromised machine as the Windows Service Keyboard Service and executes base64-encoded commands received from the C2.
CrowdStrike confirmed for BleepingComputer that the October 2023 attacks targeted Israeli organizations following the Israel-Hamas conflict.
The Threat Intelligence team at PricewaterhouseCoopers (PwC) says that these campaigns occurred between 2022 and 2023 and targeted maritime, shipping and logistics sectors, some of the victims receiving the IMAPLoader malware that introduced additional payloads.
In other instances, Crowdstrike has seen the hackers breaching networks directly, leveraging public exploit code, using stolen VPN credentials, performing SQL injection, or through phishing emails sent to the target organization.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.