Iranian APT Lures Defense Contractor in Catfishing-Malware Scam
A new campaign using catfishing techniques with fake aerobics-instructor profiles has been discovered in a supply-chain attack attempt originating from an Iranian APT, TA456. The threat actors created convincing profiles of objectively attractive women to charm victims into downloading malware. According to a new report from Proofpoint, the campaign allegedly lured the Iranian Defense Contractor. Proofpoint stated that the APT, which is associated with the Iranian Revolutionary Gaurd, invested years into developing the fake profile, which it named Marcella Flores. The first Marcella profiles showed up in around 2018, according to an analysis conducted by Proofpoint.
The APT used the profile to build a close relationship via social media platforms with someone who worked for a subsidiary of an aerospace defense contractor in the US. Proofpoint found that, over months, Marcella shared emails, pictures, and a video to gain the contractor’s trust. However, eventually, attackers sent an email from Marcella Flores containing malware designed to conduct reconnaissance on the target’s machine. The document contained personalized content and was a newer iteration of the Liderc malware.