Hackers now use ‘sock puppets’ for more realistic phishing attacks

A picture of two sock puppets

An Iranian-aligned hacking group uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking its a realistic email conversation.

The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation.

Named ‘multi-persona impersonation’ (MPI) by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of “social proof” to obscure logical thinking and add an element of trustworthiness to the phishing threads.

TA453 is an Iranian threat group believed to be operating from within the IRGC (Islamic Revolutionary Guard Corps), previously seen impersonating journalists to target academics and policy experts in the Middle East.

Multiple persona impersonation

TA453’s new tactic requires far more effort from their side to carry out the phishing attacks, as each target needs to be entrapped in an elaborate realistic conversation held by fake personas, or sock puppets.

However, the extra effort pays off, as it creates a realistic-looking exchange of emails, which makes the conversation look legitimate.

An example shared in Proofpoint’s report dates to June 2022, with the sender masquerading as the Director of Research at FRPI and the email sent to the target and CCing a Director of Global Attitudes Research at the PEW Research Center.

Phishing message sent to the target and a second fake personaPhishing message sent to the target and a second fake persona (Proofpoint)

The next day, the impersonated PEW director answered the questions sent by the FRPI director, creating a false sense of an honest conversation that would be enticing for the target to join.

In another case seen by Proofpoint, involving scientists specializing in genome research, the CCed persona replied with a OneDrive link that led to downloading a DOCX document laced with malicious macros.

In a third MPI phishing attack launched by TA453 against two academics specializing in nuclear arms control, the threat actors CCed three personas, going for an even more intricate attack.

Timeline of the third MPI attack exampleTimeline of the third MPI attack example (Proofpoint)

In all cases, the threat actors used personal email addresses (Gmail, Outlook, AOL, Hotmail) for both the senders and the CCed persons instead of addresses from the impersonated institutions, which is a clear sign of suspicious activity.

The malicious payload

The documents that targets were tricked into downloading via OneDrive links in TA453’s recent campaign are password-protected files that perform template injection.

“The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls,” details the report.

“The macros collect information such as username, list of running processes along with the user’s public IP from and then exfiltrates that information using the Telegram API.”

The researchers couldn’t get past the reconnaissance information beaconing stage but assumed that additional exploitation occurs in subsequent steps to give the remote threat actors code execution capabilities on the hosts.


Related posts

Worok hackers hide new malware in PNGs using steganography

Sarah Henriquez

Netwalker ransomware affiliate sentenced to 20 years in prison

Sarah Henriquez

Google Fi data breach let hackers carry out SIM swap attacks

Sarah Henriquez

Leave a Comment