Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms.
Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores.
It is a threat actor linked to the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces, and has been active since at least 2017 carrying out cyberattacks against organizations in various sectors, including defense, technology, telecommunications, maritime, energy, and consulting and professional services.
The recent attacks were discovered by researchers at cybersecurity company CrowdStrike, who made the attribution based on infrastructure overlaps with past campaigns, observed tactics, techniques, and procedures (TTPs), the use of the IMAPLoader malware, phishing lures.
Imperial Kitten attacks
In a report published earlier this week, researchers say that Imperial Kitten launched phishing attacks in October using a ‘job recruitment’ theme in emails carrying a malicious Microsoft Excel attachment.
When opening the document, the malicious macro code within extracts two batch files that create persistence through registry modifications and and run Python payloads for reverse shell access.
The attacker then moves laterally on the network using tools like PAExec to execute processes remotely and NetScan for network reconnaissance. Additionally, they employ ProcDump to obtain credentials from the system memory.
Communication with the command and control (C2) server is achieved using the custom malware IMAPLoader and StandardKeyboard, both relying on email to exchange information.
The researchers say that StandardKeyboard persists on the compromised machine as the Windows Service Keyboard Service and executes base64-encoded commands received from the C2.
CrowdStrike confirmed for BleepingComputer that the October 2023 attacks targeted Israeli organizations following the Israel-Hamas conflict.
Past campaigns
In previous activity, Imperial Kitten carried watering hole attacks by compromising several Israeli websites with JavaScript code that collected information about visitors, such as browser data and IP address, profiling potential targets.
The Threat Intelligence team at PricewaterhouseCoopers (PwC) says that these campaigns occurred between 2022 and 2023 and targeted maritime, shipping and logistics sectors, some of the victims receiving the IMAPLoader malware that introduced additional payloads.
In other instances, Crowdstrike has seen the hackers breaching networks directly, leveraging public exploit code, using stolen VPN credentials, performing SQL injection, or through phishing emails sent to the target organization.
Both CrowdStrike and PwC [1, 2] provide indicators of compromise (IoCs) for malware and the adversary’s infrastructure used in the observed attacks.