loader gif

Russia-Linked Hackers Hijack Infrastructure of Iranian Threat Group

Russia-Linked Hackers Hijack Infrastructure of Iranian Threat Group (Threat Actors)

Three recent campaigns associated with the cyber-espionage group Turla employed different tools, revealing a rapidly evolving portfolio, Symantec reports. A second campaign involved the use of Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. As part of the third campaign, the threat actor used a custom RPC backdoor (different from the version observed in the second campaign) that packed code derived from the PowerShellRunner tool to execute PowerShell scripts and bypass detection. Other tools leveraged by the hackers in these attacks include a custom dropper to install Neptun, a hacking tool that combines four NSA tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch), a USB data collecting tool, Visual Basic scripts for reconnaissance, PowerShell scripts for reconnaissance and credential theft, and publicly available tools (IntelliAdmin, SScan, NBTScan, PsExec, Mimikatz, and Certutil.exe).

loader gif