Security researchers have tracked down a new Imperial Kitten campaign targeting transportation, logistics and technology companies. Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Leaderk and has been using the online persona of Marcella Flores for several years.

It is a threat actor affiliated with the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces that has been operating since at least 2017, launching cyber attacks on organizations in various sectors such as defense, technology, telecommunications, maritime, and more. , energy, consulting and professional services.

The latest attacks were discovered by researchers at cybersecurity firm CrowdStrike, who made associations based on infrastructure matches to past campaigns, observed tactics, methods, and procedures (TTPs), use of IMAPLoader malware, and phishing lures.

Imperial kitten attacks

In a report published earlier this week, researchers say Imperial Kitten launched phishing attacks in October using the subject line “recruitment” in emails containing a malicious Microsoft Excel attachment. When the document is opened, the malicious macro outputs two batch files that create persistence via registry changes and runs the Python data to gain access back to the shell.

The attacker then moves sideways through the network using tools such as PAExec for remote transaction execution and NetScan for network discovery. They also use ProcDump to retrieve credentials from system memory.

Communication with the command and control server (C2) is done using custom malware IMAPLoader and StandardKeyboard, both of which use email to exchange information. Researchers say StandardKeyboard was stored as a Windows Service on the compromised machine Keyboard Service and executes base64 encoded commands received from C2.

CrowdStrike confirmed to BleepingComputer that the October 2023 attacks targeted Israeli organizations in the wake of the Israel-Hamas conflict.

Past campaigns

In previous activity, Imperial Kitten carried out watering hole attacks by compromising several Israeli websites using JavaScript code that collects visitor information such as browser data and IP address and profiles potential targets. PricewaterhouseCoopers’ (PwC) Threat Intelligence team said the campaigns took place between 2022 and 2023 and targeted the maritime, transportation and logistics industries, with some victims receiving the IMAPLoader malware that injected additional payloads.

In other cases, Crowdstrike has seen hackers infiltrate networks directly using publicly available exploit code, using stolen VPN credentials, performing SQL injections, or via phishing emails sent to a targeted organization. Both CrowdStrike and PwC provide indicators of compromise (IoC) for the malware and attacker infrastructure used in the observed attacks. Source