©2021 Reporters Post24. All Rights Reserved.
Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber-espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited.
Active since at least 2019, the campaign used Facebook, Instagram and emails to pose as the fake persona “Marcella Flores”. The attackers could spend months building up a rapport with targets via messages and emails before distributing malware after the trust was gained.
The campaign has been detailed by cybersecurity researchers at Proofpoint who’ve linked it to TA456, also known as Tortoiseshell — a state-backed Iranian hacking group with ties to the Islamic Revolutionary Guard Corps (IRGC) branch of the Iranian military.
The way a fake social media profile was run for so long demonstrates the amount of effort and persistence that those behind the espionage campaign went to in an effort to target individuals of interest, predominantly people working for US defence contractors, particularly those involved in supporting operations in the Middle East.
Marcella’s public-facing Facebook profile claimed she was an aerobics instructor in Liverpool, England — and her friends’ list contained several people identifying as defence contractors on their profiles.
The attackers behind the fake persona used email, social media profiles, photos and even flirtatious messages to give the impression she was a genuine person while in contact with the targets.
After a period of messages back and forth with the target, the attackers used a Gmail account set up as the persona to send a OneDrive link that contained a document or a video file to the victim. It’s this lure that was used to distribute malware to the victim — an updated version of Lideric malware, which researchers have dubbed Lempo.