"The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload. The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net."
"The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (*@fm.gov.om). "The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution," Dream said."
Israeli cybersecurity company Dream attributed the activity to Iranian-aligned operators connected to a group known as Homeland Justice. Operators sent coordinated, multi-wave spear-phishing emails impersonating diplomatic communications to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas. Emails contained malicious Microsoft Word attachments that urged recipients to "Enable Content" to execute embedded VBA macros that deploy malware. The campaign used themes tied to geopolitical tensions between Iran and Israel and referenced urgent MFA communications to convey authority. Attackers sent messages from 104 compromised addresses, including a hacked Oman Ministry of Foreign Affairs mailbox in Paris.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]