Novel phishing technique leveraged by Iranian hacking group

Iranian state-sponsored threat group TA453 has been discovered to be using the novel 'multi-persona impersonation' technique in an effort to facilitate more elaborate and legitimate-looking phishing emails, according to BleepingComputer. Significantly more effort has been spent by TA453 on its new phishing technique, which uses several fake personas to create realistic conversations, a Proofpoint report revealed. One of the attacks discovered to utilize MPI involved a phishing email purportedly sent by the Director of Research at the Foreign Policy Research Institute to the target, with a Director of Global Attitudes Research at the PEW Research Center being CCed. Replies to the email the following day had the spoofed PEW director answer the FRPI director's queries. Attackers have also sent phishing emails to genome research scientists with the CCed persona replying with a OneDrive link containing a malicious macro-laced DOCX document. "The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as username, list of running processes along with the user's public IP from my-ip.io and then exfiltrates that information using the Telegram API," said researchers.