An Iran-based APT group, Mint Sandstorm, has been linked with attacks that targeted the U.S. critical infrastructure from 2021 to mid-2022. Microsft has reported that the APT group, which it tracks as PHOSPHORUS, could be refining its TTPs.

Attack campaign by Mint Sandstorm

Mint Sandstorm has started weaponizing n-day vulnerabilities in enterprise apps by using publicly posted POCs. It used custom tools against selected targets, such as organizations in the energy and transportation sectors.
  • It recently started abusing several vulnerabilties, including CVE-2022-47986 (IBM Aspera Faspex), CVE-2022-47966 (Zoho ManageEngine), CVE-2021-44228, and CVE-2021-45046 (Log4Shell).
  • The group targets private/public organizations, including activists, journalists, the Defense Industrial Base (DIB), political dissidents, and employees from various government agencies.
  • From late 2021 to mid-2022, one of the subgroups of Mint Sandstorm performed a series of attacks against energy organizations, seaports, transit systems, and utility and gas entities.

Multiple attack chains

Microsoft further revealed that after gaining initial access, the APT group deploys a custom PowerShell script for the discovery phase that aims to collect intelligence. In case the victim fulfills the group’s requirements, it performs any one of the two attack chains:
  • Attack chain 1: The group uses Impacket for lateral movement and relies extensively on PowerShell scripts to enumerate admin accounts and enable RDP connections. Additionally, it uses an SSH tunnel for C2 and steals the Active Directory database for accessing credentials for user accounts.
  • Attack chain 2: The group uses Impacket for lateral movement and uses the webhook[.]site for C2, creating scheduled tasks to maintain persistence. Further, it deploys custom malware payloads Drokbk or Soldier instead of making use of simple scripts and publicly available tools.

Conclusion

Further enhancements in Mint Sandstorm’s TTPs mean that its attacks are going to be sharper than ever, posing a serious risk to critical infrastructure of organizations. Microsoft suggests blocking executable files from running unless they meet trusted list criteria, blocking Office apps from creating executable content, and preventing process creations from PSExec and WMI commands.
Cyware Publisher

Publisher

Cyware