Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign (Mar 13, 2018)

The Iranian Advanced Persistent Threat (APT) group "TEMP.Zagros" has been observed updating their Tactics, Techniques, and Procedures (TTPs) in a new spear phishing campaign, according to FireEye researchers. The group has been targeting government and defense entities in Central and Southwest Asia. The new TTP results in using the recently disclosed method, leveraging INF and SCT files for PowerShell code execution; previously this tactic involved using VBS and INI files. The PowerShell script, identified as "POWERSTATS" by FireEye, is a backdoor that can perform activities such as remote code execution, drive wiping, taking screenshots, and exfiltrating data.

Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of spear phishing, how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.