The Iranian hacking group, TA453, has come up with a new phishing technique known as ​​Multi-Persona Impersonation (MPI). The group uses multiple personas/email accounts to bait targets into very realistic email conversations which are difficult to detect.

The MPI phishing technique

Researchers from Proofpoint outlined that the MPI technique uses the psychological principle of social proof to add an element of authenticity and lure the victims easily. The technique requires much attention to detail such as monitoring the activities of the actual persona (wherever applicable), creating fake email accounts, and keeping conversation with the potential victim as realistic as possible.

How attackers faked scenarios?

  • In the first instance, the sender was masquerading as the Director of Research at FRPI and CCing a Director of Global Attitudes Research at the PEW Research Center in an email sent to target.
  • In the second case, involving scientists specializing in genome research, the CCed persona replied with a OneDrive link downloading a DOCX document loaded with malicious macros.
  • In a third attack launched by the threat group against two academics having a specialty in nuclear arms control, the group had CCed three personas to make the attack more complex.

Additional details

  • In all attacks, the group used personal email addresses (Outlook, AOL, Gmail, and Hotmail) and CCed personas from impersonated organizations.
  • Hackers share OneDrive links containing malicious docs—that are password-protected files—to perform template injection. The template, Korg, has three macros: Module1[.]bas, Module2[.]bas, and ThisDocument[.]cls.
  • Further, macros are used to collect information such as username, list of running processes, and the user's public IP from my-ip[.]io. 
  • Macros exfiltrate this information by using the Telegram API.

Conclusion

Researchers warn that companies should maintain an increased sense of awareness when receiving emails from unknown or suspicious senders. The techniques like MPI are expected to evolve in the future to cause greater harm.
Cyware Publisher

Publisher

Cyware