Iranian Hackers Posed as Aerobics Instructors to Target Aerospace Employees
TA456 was discovered as the perpetrator of a social engineering and targeted malware campaign on behalf of the Iranian government after spending years impersonating an aerobics instructor on Facebook, according to Proofpoint.
The Iranian state-sponsored cybercrime gang developed a contact with an employee working at a subsidiary of an aerospace defense contractor using the social media persona Marcella Flores. The relationship was maintained across corporate and personal communication platforms.
By sending the target malware through an ongoing email communication chain, the threat actor attempted to take advantage of this relationship in the early months of June 2021. The macro-laden paper intended to be used to conduct reconnaissance on the target’s computer, had individualized material and highlighted the significance that TA456 placed on the target.
The malware is able to exfiltrate important information over SMTPS to an actor-controlled email account, establish persistence on the infected machine, ave the reconnaissance details to the host, do reconnaissance on the machine, and finally erase the host artifacts from the previous day.
State-sponsored cybercriminals continue to employ social engineering campaigns
This campaign illustrates the persistent nature of specific dangers connected with the state and its human commitment in support of spying operations. In the middle of July, Facebook took down a network of similar persons that was linked to the Tortoiseshell malware.
In the last eight months, Marcella (Marcy) Flores sent TA456’s intended victim benign email messages, images, and a video to establish her credibility and build rapport with the intended victim, according to Proofpoint’s research. At one point, TA456 attempted to send a harmless, yet flirty video via a OneDrive URL, but was unsuccessful.
Another OneDrive link, this time purporting to be a diet survey, was provided by a TA456 actor going by the name of Marcy around the beginning of June. Since then, Facebook has taken down Flores’ account as part of a larger effort to identify and deactivate individuals associated with Iranian hacker activity.