Security News > 2021 > July > Iranian state-backed hackers posed as flirty Scouser called Marcy to target workers in defence and aerospace
Iranian state-backed hackers posed as a flirty Liverpudlian aerobics instructor in order to trick defence and aerospace workers into revealing secrets, according to a newly-published study.
Researchers from Proofpoint said this morning they had uncovered a fake social media account being operated by state-backed Iranians, tracked internally by the enterprise security firm as TA456.
Using the alias Marcella Flores, the Iranians patiently built up a relationship with their targets "Over years" to convince them to open malware-laden emails on useful devices - even sending a video of "Herself" to sucker in her unwitting targets.
"Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day's host artifacts," said the infosec outfit in a blog post published today.
Variously known as Imperial Kitten and Tortoiseshell, the Iranian crew tracked by Proofpoint apparently has a taste for using western female aliases.
"The 'Marcella' profile appeared to be friends with multiple individuals who publicly identify as defense contractor employees and who are geographically dispersed from 'Marcella's' alleged location in Liverpool, UK," said Proofpoint.
News URL
Related news
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)