In October 2024, the Iran-aligned threat actor UNC2428 was observed delivering the MURKYTOUR backdoor as part of a job-themed social engineering campaign targeting Israel. The campaign, uncovered by Mandiant, a cybersecurity firm owned by Google, involved a complex chain of deception techniques designed to gain access to sensitive systems.
Disguising Malware with Job-Themed Social Engineering
UNC2428’s social engineering efforts involved posing as a recruitment opportunity from Rafael, an Israeli defense contractor. The threat actor targeted individuals by enticing them with a job application. Once an individual expressed interest, they were redirected to a fake website that impersonated Rafael. There, they were asked to download a tool called RafaelConnect.exe, which was actually an installer for a malicious program called LONEFLEET.
When executed, LONEFLEET launched a graphical user interface (GUI) prompting the victim to submit personal information and their resume. Once submitted, the MURKYTOUR backdoor was installed as a background process by LEAFPILE, a launcher that provided persistent access to the compromised system.
This attack strategy, which incorporated a GUI to mask the malware’s execution, is a common tactic among Iranian threat actors. By presenting the malware as a legitimate recruitment tool, the attackers reduced the likelihood of their operations being detected by the targeted individuals.
Expanded Iran-Nexus Threat Landscape
Beyond UNC2428, Iranian groups such as UNC3313 have demonstrated advanced tactics, such as leveraging remote monitoring and management (RMM) tools for persistence. These tools help the attackers evade detection while maintaining access to compromised systems.
In July 2024, a new Iranian-backed threat group distributed a backdoor named CACTUSPAL disguised as an installer for Palo Alto Networks GlobalProtect. This malware is a .NET backdoor that verifies only one instance of itself is running before connecting to an external command-and-control (C2) server for further instructions.
Mandiant also identified over 20 proprietary malware families used by Iranian threat actors in 2024, illustrating their ongoing cyber espionage operations. These groups align their activities with the strategic interests of the Iranian government, and their evolving tactics continue to pose a significant challenge to global cybersecurity efforts.
