An Iranian-aligned hacking group uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking its a realistic email conversation.
The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation.
Named ‘multi-persona impersonation’ (MPI) by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of “social proof” to obscure logical thinking and add an element of trustworthiness to the phishing threads.
TA453 is an Iranian threat group believed to be operating from within the IRGC (Islamic Revolutionary Guard Corps), previously seen impersonating journalists to target academics and policy experts in the Middle East.
Multiple persona impersonation
TA453’s new tactic requires far more effort from their side to carry out the phishing attacks, as each target needs to be entrapped in an elaborate realistic conversation held by fake personas, or sock puppets.
However, the extra effort pays off, as it creates a realistic-looking exchange of emails, which makes the conversation look legitimate.
An example shared in Proofpoint’s report dates to June 2022, with the sender masquerading as the Director of Research at FRPI and the email sent to the target and CCing a Director of Global Attitudes Research at the PEW Research Center.
The next day, the impersonated PEW director answered the questions sent by the FRPI director, creating a false sense of an honest conversation that would be enticing for the target to join.
In another case seen by Proofpoint, involving scientists specializing in genome research, the CCed persona replied with a OneDrive link that led to downloading a DOCX document laced with malicious macros.
In a third MPI phishing attack launched by TA453 against two academics specializing in nuclear arms control, the threat actors CCed three personas, going for an even more intricate attack.
In all cases, the threat actors used personal email addresses (Gmail, Outlook, AOL, Hotmail) for both the senders and the CCed persons instead of addresses from the impersonated institutions, which is a clear sign of suspicious activity.
The malicious payload
The documents that targets were tricked into downloading via OneDrive links in TA453’s recent campaign are password-protected files that perform template injection.
“The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls,” details the report.
“The macros collect information such as username, list of running processes along with the user’s public IP from my-ip.io and then exfiltrates that information using the Telegram API.”
The researchers couldn’t get past the reconnaissance information beaconing stage but assumed that additional exploitation occurs in subsequent steps to give the remote threat actors code execution capabilities on the hosts.