APT Group Uses Catfish Technique To Ensnare Victims

Meet Mia Ash, a 20-something London-based photographer, amateur model, social media butterfly with a keen interest in tech-savvy guys with ties to the oil and gas industry.

You guessed it. Mia Ash doesn’t exist. Ash, according to Dell SecureWorks Counter Threat Unit, is a virtual persona stitched together by the APT known as Cobalt Gypsy, OilRig, TG-2889 and Twisted Kitten. It is believed to have ties to the Iranian government and has been targeting telecommunications, government, defense, oil and financial services firms located in the Middle East and North Africa.

SecureWorks researchers say Ash is an unusually well developed persona that has been curated for years. Her goal is to befriend men working in desirable positions within and connected to energy-sector firms. The goal is to infect the target’s computer with the remote access tool, PupyRAT.

Today during Black Hat, SecureWorks released a report on Ash titled “The Curious Case of Mia Ash: Cobalt Gypsy Uses Social Media to Lure Victims.”

Allison Wikoff, intelligence analyst for Dell SecureWorks, said Cobalt Gypsy’s elaborate ploy came to light in January when it observed an unsuccessful phishing campaign targeting Saudi Arabian organizations doing business in the Middle East and North Africa.

“When the initial campaign failed, Cobalt Gypsy turned its focus to a highly focused campaign using the fake persona of Mia Ash to establish relationships with employees inside targeted organizations,” Wikoff said.

That persona was crafted across LinkedIn, Facebook, WhatsApp, Blogger and sites such as DeviantArt, an online artwork, videography and photography community. Sources of information used to build Ash’s backstory were cut-and-pasted from a number of places. A LinkedIn profile was appropriated from a United States-based photographer. Her Facebook and DeviantArt page were updated regularly with images from several social media accounts belonging to a Romanian photographer who had no idea of the charade.

“They not only built a LinkedIn profile, but created a more personal persona using a host of social media platforms baiting targets with sex appeal. It’s catfishing. Back in the day counter intelligence efforts had to use real female spies to lure the information from male operatives. But now they can use a virtual female,” Wikoff said.

Over the course of years, the Ash profiles were actively updated and had attracted a mix of social followers and professional connections that included both photography enthusiast and non-photography profiles tied to energy sector jobs.

“The non-photography endorsers were located in the Saudi Arabia, United States, Iraq, Iran, Israel, India and Bangladesh working for technology, oil/gas, healthcare, aerospace and consulting organizations. These connections were mid-level employees in technician (mechanical and computer) or project managerial type roles with job titles including: technical support engineer, software developer and system support,” according to the report.

Researchers say that while Ash had thousands of connections, the persona focused primarily on 30 men. However, at the time of SecureWorks most recent research, it observed two specific victims singled out by Ash.

That victim came to light in February only after he opened an Excel document attachment sent by Ash that included the PupyRAT malware in file named “Copy of Photography Survey.xlsm.” The malware did not execute, and SecureWorks was asked to investigate the incident.

Read more…

Source: ThreatPost