CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1598 | .003 | 信息钓鱼: Spearphishing Link |
CURIUM used malicious links to adversary-controlled resources for credential harvesting.[5] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.[1] |
| Enterprise | T1584 | .006 | 基础设施妥协: Web Services |
CURIUM has compromised legitimate websites to enable strategic website compromise attacks.[5] |
| Enterprise | T1585 | .001 | 建立账户: Social Media Accounts |
CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.[2] |
| .002 | 建立账户: Email Accounts |
CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.[5] |
||
| Enterprise | T1608 | .004 | 暂存能力: Drive-by Target |
CURIUM used strategic website compromise to fingerprint then target victims.[5] |
| Enterprise | T1048 | .002 | 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
CURIUM has used SMTPS to exfiltrate collected data from victims.[5] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
CURIUM has been linked to web shells following likely server compromise as an initial access vector into victim networks.[1] |
| Enterprise | T1189 | 浏览器攻击 |
CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader.[5] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
CURIUM has lured users into opening malicious files delivered via social media.[2] |
| Enterprise | T1082 | 系统信息发现 |
CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.[5] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
CURIUM created domains to facilitate strategic website compromise and credential capture activities.[5] |
| .003 | 获取基础设施: Virtual Private Server |
CURIUM created virtual private server instances to facilitate use of malicious domains and other items.[5] |
||
| .004 | 获取基础设施: Server |
CURIUM has created dedicated servers for command and control and exfiltration purposes.[5] |
||
| Enterprise | T1041 | 通过C2信道渗出 |
CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.[5] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
CURIUM has used phishing with malicious attachments for initial access to victim environments.[5] |
| .003 | 钓鱼: Spearphishing via Service |
CURIUM has used social media to deliver malicious files to victims.[2] |
||
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1152 | IMAPLoader | IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.[5] | Windows管理规范, 创建或修改系统进程, 劫持执行流: AppDomainManager, 应用层协议: Mail Protocols, 本机API, 系统信息发现, 输入工具传输, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task |
References
- Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.
- MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.