The research team at ThreatBook has uncovered the use of fraudulent websites by the APT35 hacking group, aimed at deploying malware onto the devices of their victims.
APT35, also known as Magic Hound, Cobalt Illusion, or Charming Kitten, is an Iran-backed group linked to the Islamic Revolutionary Guard Corps (IRGC) and has been active since 2014. Their primary targets include energy companies, government agencies, and technology firms in the Middle East, the United States, and other regions.
The analysis revealed attacks focusing on the aerospace and semiconductor industries in the United States, Thailand, the UAE, and Israel. The threat actors employ phishing websites disguised as recruitment portals or corporate resources. These sites host programs that combine legitimate elements with malicious modules, which unsuspecting users download and execute.
One such site, targeting a drone development expert in Thailand, contained a program named SignedConnection.exe, designed to covertly execute malicious DLL modules. These modules enable hackers to establish malware persistence via Windows registry entries, alter files, evade static analysis, and create hidden copies for subsequent execution. Moreover, hardcoded credentials discovered within the program suggest the deliberate and focused nature of the attack.
To bypass security measures, the group leverages widely used internet services such as OneDrive, Google Cloud, and GitHub, along with advanced string encryption techniques. Their command-and-control (C2) servers are hosted across various platforms, including GitHub and OneDrive, with backup addresses embedded in the code.
Another attack targeted a semiconductor company, employing a fake VPN application containing a DLL module that acted as a loader for malware. Malicious traffic was directed to C2 servers, and fake PDF documents were used to lure victims.
The infrastructure utilized by APT35 includes hardcoded backup C2 server addresses, such as msdnhelp.com. Analysts speculate that the next stage of the attack may involve deploying a trojan, although the final payload has not been captured.
ThreatBook has compiled indicators of compromise (IOCs), including malicious files, IP addresses, and domains associated with the attacks. To mitigate such threats, organizations are advised to implement solutions capable of analyzing threats and blocking malicious activity.
