Hackers posed as aerobics instructors in malware attack on defense contractors

Iranian hackers used social media platforms especially Facebook to target employees of an aerospace defense contractor to steal their login credentials.

Proofpoint enterprise security firm has revealed details about the malicious activities of a novel cyberespionage group that carried out social engineering campaign without getting detected for more than a year.

According to researchers, the group members posed as diet and aerobics instructors on Facebook to inject malware into the devices used by an aerospace defense contractor’s employees.

For your information, earlier in July, Facebook reported about dismantling a sophisticated cyberespionage campaign from the Tortoiseshell hacker group.

Facebook further revealed that the group targeted around 200 military personnel and companies in aerospace and defense in the USA, UK, and Europe.

Now Proofpoint researchers have shed light on whatever has been going in for months at the social networking site.

Campaign Lasted for 18 Months

Proofpoint researchers noted that this campaign lasted for at least 18 months. Throughout the time, the hacker(s) masqueraded as an aerobics instructor from Liverpool, England.

They targeted several contractors and employees working in defense and aerospace with malware to steal usernames, passwords, and other sensitive data.

SEE: Hackers used pics of IDF female soldiers to breach Israeli military servers

This campaign was active since 2019, and the hackers used several social media platforms along with Facebook, including Instagram. They also emailed the employees using their fake persona dubbed Marcella Flores.

Hackers posed as instructors to drop malware against aerospace defense contractor

Fake profile of Marcella Flores (Image: Proofpoint)

State-Backed Threat Actor Suspected to be Involved

Proofpoint researchers have linked this campaign to TA456. It is a state-sponsored group, also known as Tortoiseshell and Imperial Kitten.

This Iranian hacking group has strong ties to the Iranian military division called Islamic Revolutionary Guard Corps (IRGC).

Hackers’ Modus Operandi

Cybersecurity researchers at Proofpoint revealed that the attackers first built rapport with their targets, which sometimes took several months. They sent messages and emails before trying to distribute malware after gaining their trust.

“Using the social media persona ‘Marcella Flores,’ TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor,” Proofpoint researchers wrote in their report.

The group then attempted to benefit from this rapport by sending their client malware in an ongoing email communication thread. They managed to inject LEMPO malware into the target’s machine.

This malware is designed to maintain persistence, perform surveillance, and retrieve sensitive data.

Hackers posed as instructors to drop malware against aerospace defense contractor

Malware infected email sent by Marcella Flores (Image: Proofpoint)

The infection chain was initiated through an email containing the OneDrive URL claiming to be a diet survey. However, it was a macro-embedded Excel file that stealthily connected it to a domain controlled by the attacker and retrieved the reconnaissance tool

“This campaign exemplifies the persistent nature of certain state-aligned threats and the human engagement they are willing to conduct in support of espionage operations,” researchers concluded.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.