Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber-espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited.
Active since at least 2019, the campaign used Facebook, Instagram and emails to pose as the fake persona “Marcella Flores”. The attackers could spend months building up a rapport with targets via messages and emails before distributing malware after the trust was gained.
The campaign has been detailed by cybersecurity researchers at Proofpoint who’ve linked it to TA456, also known as Tortoiseshell — a state-backed Iranian hacking group with ties to the Islamic Revolutionary Guard Corps (IRGC) branch of the Iranian military.
The way a fake social media profile was run for so long demonstrates the amount of effort and persistence that those behind the espionage campaign went to in an effort to target individuals of interest, predominantly people working for US defence contractors, particularly those involved in supporting operations in the Middle East.
Marcella’s public-facing Facebook profile claimed she was an aerobics instructor in Liverpool, England — and her friends’ list contained several people identifying as defence contractors on their profiles.
The attackers behind the fake persona used email, social media profiles, photos and even flirtatious messages to give the impression she was a genuine person while in contact with the targets.
After a period of messages back and forth with the target, the attackers used a Gmail account set up as the persona to send a OneDrive link that contained a document or a video file to the victim. It’s this lure that was used to distribute malware to the victim — an updated version of Lideric malware, which researchers have dubbed Lempo.
This malware secretly establishes persistence on the victim’s Windows computer, allowing the attackers to search for and steal sensitive information, including usernames and passwords, which then get sent to the back to those running the operation. Proofpoint said due to the specific targeting of victims; it was not possible to say whether those attacks were successful.
The stolen usernames and passwords could help the attackers conduct further espionage campaigns. Defence contractors were likely targeted because stealing their credentials could provide the attackers with the means of moving further up the supply chain and gaining access to the networks of defence and aerospace firms.
Stolen passwords could be exploited to gain remote access to VPNs and remote software, or compromised credentials could be used to conduct further phishing attacks.
“The information gathered by Lempo could be operationalized in a variety of ways including the utilization of stolen VPN credentials, exploitation of vulnerabilities in the identified software, or the customization of follow-on malware to be delivered,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told .
Iranian state-backed hacking and cyber espionage groups have previously engaged in this kind of social engineering, using false social media profiles of women to lure individuals into downloading malware. Like other known Iranian espionage campaigns, this one is focused on the defence industry and particularly companies providing support to military operations in the Middle East. All of this has led to Proofpoint attributing the campaign to Iranian state-linked hacking group TA456.
Facebook shut down Marcella’s profile in July after identifying it and other accounts as working on cyber-espionage operations on behalf of Tortoiseshell. Facebook has linked malware used in the campaigns to an Iranian IT company with links to the IRGC.
The attackers behind the Marcella Flores persona spent at least 18 months running the account and using it for social engineering. The dedication to creating and maintaining these false personas, complete with the hands-on effort required for attackers to interact with potential victims, means it’s unlikely that this is the last time IRGC affiliated espionage and malware distribution campaigns will use these tactics.
“TA456’s years-long dedication to significant social engineering, benign reconnaissance of targets prior to deploying malware, and their cross-platform kill chain makes them a very resourceful threat actor and signifies that they must be experiencing success in gaining information that meets their operational goals,” said DeGrippo.
The Marcella Flores operation and other espionage campaigns operating out of Iran demonstrate how effective social engineering can be as part of malicious hacking campaigns – and the importance of being mindful about what you share on public social media profiles.
“It is especially important for those working within or tangentially to the defense industrial base to be vigilant when engaging with unknown individuals regardless of whether it is via work or personal accounts,” said DeGrippo.
“Malicious actors will often utilize publicly available information about a target to build up a picture of their role, connections, access to information, and vulnerability to attacks — ‘oversharing’ on social media is a particularly risky behaviour in sensitive industries, so organizations should ensure employees are properly and frequently trained in security awareness,” she added.