Related Families: Drokbk, Soldier
Verticals Targeted: Critical Infrastructure, Telecommunications, Government, Energy, Transportation. Utilities, Oil & Gas
Executive Summary
Mint Sandstorm was recently observed targeting US critical infrastructure entities. These include seaports, energy companies, transportation systems, and a US utility and gas entity.
Key Takeaways
- Mint Sandstorm was recently observed targeting US critical infrastructure entities.
- Mint Sandstorm is an Iran nexus threat actor group associated with the Iranian Revolutionary Guard Corps.
- The threat actors use a combination of phishing, common exploits, and custom tools.
The Campaign
Microsoft recently reported on a nation-state cyber-espionage group, dubbed Mint Sandstorm (formerly Phosphorus), which has been targeting US critical infrastructure entities.
Mint Sandstorm is believed to be associated with the Iranian government and has been using a combination of social engineering, spear-phishing, and common exploits to gain access to its targets' networks. The group has been particularly successful in targeting organizations in the telecommunications and government sectors, as well as energy and transportation sector entities.
Microsoft notes Mint Sandstorm's tactics, techniques, and procedures (TTPs) have evolved over time, reflecting the group's commitment to improving its tradecraft. For example, the group has developed custom malware and improved its phishing emails to make them more convincing.
In recent campaigns, a Mint Sandstorm subgroup has leveraged N-day vulnerabilities in enterprise applications and used targeted phishing to gain access to victim networks successfully. This subgroup has more mature operational capabilities than others under the overall Mint Sandstorm umbrella. From late 2021 to mid-2022, the group began targeting US critical infrastructure, such as seaports, energy companies, transportation systems, and a US utility and gas entity. Earlier this year, the subgroup began leveraging CVE-20922-47966 and CVE-2022-47986 shortly after the POCs were made publicly available.
After obtaining access to a victim network, the threat actors deploy a custom PowerShell script to use in the discovery process. If the victim does not meet targeting requirements or is not deemed of high enough value, the threat actors seem to halt further action. If they continue to pursue the victim, one of two attack chains is employed.
In the first attack chain, the threat actors move laterally using Impacket and leverage PowerShell scripts to enumerate admin accounts and enable RDP. They then use an SSH tunnel for C2. The main objective in this attack chain seems to be the theft of the Active Directory database. The threat actors can then use these credentials for further access and for social engineering.
In the second attack chain, the threat actors use Impacket for lateral movement, use webhook[.]site for C2, and use scheduled tasks to maintain persistence. They deploy Drokbk, Soldier, or another custom malware variant as the final payload. Drokbk is a custom .NET implant containing an installer and a backdoor payload. The soldier is a multistage .NET backdoor capable of downloading and running additional tools and uninstalling itself.
Who is Mint Sandstorm?
Mint Sandstorm, also known as Phosphorus, APT35, Charming Kitten, Ajax Security, and NewsBeef, is an Iran nexus threat actor group active since at least 2014. The group is thought to operate on behalf of the Iranian government, with ties to the Iranian Revolutionary Guard Corps. Mint Sandstorm has previously targeted government and military personnel, academics, journalists, and the World Health Organization. Targets were mostly located in the US and the Middle East.
Mint Sandstorm TTPs include but are not limited to social engineering, use of compromised email accounts, targeted phishing attacks, using Amazon S3 buckets and IRC for C2, leveraging Log4j vulnerabilities, watering hole attacks, Havij, sqlmap, Metasploit, Mimikatz, CharmPower, DownPaper, PsExec, and Pupy. Mint Sandstorm is known for its moderate skill level, easily recognizable TTPs, expansive infrastructure, and notoriously sloppy OPSEC.
IOCs
PolySwarm is monitoring for samples of Drokbk and Soldier.
You can use the following CLI command to search for all Drokbk samples in our portal when available: $ polyswarm link list -f Drokbk
You can use the following CLI command to search for all Soldier samples in our portal when available: $ polyswarm link list -f Soldier
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports