Threat Intelligence / ShadowTalk Update – Iran-linked APT35, Skimming by Magecart 4, Rancour, and Emotet Resurgence

ShadowTalk Update – Iran-linked APT35, Skimming by Magecart 4, Rancour, and Emotet Resurgence

ShadowTalk Update – Iran-linked APT35, Skimming by Magecart 4, Rancour, and Emotet Resurgence
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
October 11, 2019 | 3 Min Read

We’re back in London this week! Viktoria chats with Adam Cook, Philip Doherty, and Josh Poole on this week’s top stories.

Listen below 👇👇👇

Updates from this week’s Intelligence Summary

  • In the spotlight this week is the Iran-linked threat group “APT35”, which took aim at the email accounts of political entities in the United States and prominent Iranians living outside Iran. The operation was likely meant to gather intelligence in support of Iranian state interests, but a United States presidential campaign was reportedly one of the targets, meaning it could be part of a broader influence operation linked to that campaign.
  • Weekly highlights include: the targeting of government entities in South-East Asia by a threat actor known as Rancour; a card-skimming campaign by “Magecart 4”, which shared overlaps with “Cobalt Group”; and a banking trojan, dubbed Casbaneiro, targeting the financial services sector in Brazil and Mexico.


APT35 targets email of US political figures, prominent Iranians

In August and September 2019 the Iran-linked group APT35 (aka Phosphorus) attempted to access the Microsoft email accounts of politicians and journalists in the United States, as well as prominent Iranians living outside Iran. The motive/s for their cyber-threat campaign is unclear, but espionage and information-gathering―as part of wider Iranian political interests―are the most likely. However, some sources listed among APT35’s targets the email accounts of President Donald Trump’s re-election campaign. Because Iran has previously been accused of conducting disinformation and influence campaigns, this new activity will likely escalate discussions of potential interference in the 2020 United States presidential election.


Chinese threat group Rancour casts phishing line to South-East Asian government

Security researchers reported on a new campaign conducted by a threat group known as Rancour, over the span of seven months during 2019. The attackers sent phishing emails containing malware, which spoofed various government departments and embassies or other government-related entities. The recipients were individuals holding government, diplomatic, or embassy roles, and were based in South-East Asia. Considering the discovery of several Chinese artifacts, and the malware that was used, researchers have deemed Rancour a Chinese threat group.


Skimming activity by Magecart 4 reveals potential link to Cobalt Group

A newly uncovered card-skimming operation by Magecart 4 indicated that the threat group is involved in both client-side and server-side skimming. Based on overlapping infrastructure, security researchers established that Magecart 4 could be linked to the Cobalt Group (aka KS Group). The latter is an organized crime group known to conduct intrusions into banks across Asia, Europe, and North America to facilitate cash thefts from bank ATMs. The two groups also employed similar naming conventions in the email addresses they used for domain registration.


Casbaneiro trojan uses pop-up windows against financial services in Brazil, Mexico

Security researchers reported on a banking trojan, dubbed Casbaneiro, that has been used to target banks and cryptocurrency services in Brazil and Mexico. The trojan triggers fake pop-up windows on infected machines, which attempt to get users to enter sensitive information and exfiltrate it to the command-and-control server of the trojan operator.


For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 03 Oct - 10 Oct 2019

And to stay up to date with the latest from Digital Shadows, subscribe below.