Secureworks®
Counter
Threat
Unit™
(CTU)
researchers
are
investigating
suspicious
activity
reported
via
Twitter
on
February
24,
2023.
Multiple
individuals
involved
in
Middle
Eastern
political
affairs
research
tweeted
that
than
an
individual
claiming
to
work
for
the
U.S.
Atlantic
Council
think
tank
had
contacted
them
about
contributing
to
an
Atlantic
Council
report
in
progress.
This
individual
used
the
name
Sara
Shokouhi
and
the
@SaShokouhi
(archived)
Twitter
account
(see
Figure
1).
Figure
1.
Twitter
profile
for
Sara
Shokouhi
(@SaShokouhi).
(Source:
Secureworks)
In
these
solicitations,
the
SaShokouhi
persona
claimed
to
work
with
Holly
Dagres,
an
Atlantic
Council
Senior
Fellow.
Dagres
has
publicly
denied
working
with
Shokouhi
(see
Figure
2).
Figure
2.
Holly
Dagres
publicly
denying
that
Sara
Shokouhi
is
a
colleague.
(Source:
Secureworks)
CTU™
researchers
discovered
that
the
individual
in
these
photos
is
not
Sara
Shokouhi.
The
image
belongs
to
a
psychologist
and
tarot
card
reader
based
in
Russia.
The
threat
group
responsible
for
the
fake
Sara
Shokouhi
persona
stole
these
images
from
an
Instagram
account
(see
Figure
3)
and
used
them
as
the
basis
for
the
SaShokouhi
Twitter
account
and
a
corresponding
Instagram
account
(@sarashokouhii).
The
fake
Instagram
profile
claims
Shokouhi
was
studying
for
or
holds
a
“PhD
in
Middle
East
Polotics
[sic]”.
Figure
3.
Photos
stolen
from
Instagram
to
create
the
@SaShokouhi
Twitter
persona.
Secureworks
blurred
the
images
for
privacy
purposes.
(Source:
Secureworks)
Multiple
hallmarks
of
this
activity
suggest
involvement
of
the
Iranian
COBALT
ILLUSION
threat
group
(also
known
as
Charming
Kitten,
APT42,
Phosphorous,
TA453,
and
Yellow
Garuda),
which
is
suspected
of
operating
on
behalf
of
the
Intelligence
Organization
of
the
Islamic
Revolutionary
Guard
Corp
(IRGC-IO)
in
Iran.
COBALT
ILLUSION
targets
a
wide
range
of
individuals
and
is
particularly
interested
in
academics,
journalists,
human
rights
defenders,
political
activists,
intergovernmental
organizations
(IGOs),
and
non-governmental
organizations
(NGOs)
that
focus
on
Iran.
The
threat
actors
create
a
fake
persona
and
then
use
it
to
contact
a
target
with
a
request
for
an
interview,
assistance
on
a
report,
or
to
discuss
a
shared
interest.
Over
a
period
of
days
or
weeks,
COBALT
ILLUSION
develops
a
rapport
with
the
target
and
then
attempts
to
phish
credentials
or
deploy
malware
to
the
target’s
computer
or
mobile
device.
The
UK
National
Cyber
Security
Centre
(NCSC)
issued
an
advisory
in
January
that
included
details
of
COBALT
ILLUSION
spearphishing
activity.
This
would
not
be
the
first
time
the
threat
actors
masqueraded
as
Atlantic
Council
employees.
In
September
2022,
CERTFA
identified
numerous
real
individuals
that
COBALT
ILLUSION
impersonated,
including
an
Atlantic
Council
employee.
In
that
campaign,
the
group
attempted
to
engage
targets
in
video
calls
and
delivered
phishing
links
via
the
chat
function
at
an
appropriate
point
in
the
conversation.
The
@SaShokouhi
account
has
been
operating
since
October
2022.
It
tweets
or
retweets
posts
supportive
of
the
Mahsa
Amini
protests
in
Iran.
To
appear
sympathetic
to
the
protestors’
interests
and
demands,
the
account
owner
has
posted
cynical
content
such
as
images
of
dead
children,
physical
abuse
suffered
by
protesters,
anti-Iranian
government
commentary,
and
anti-Iranian
symbolism.
CERTFA
Lab
reported
a
set
of
phishing
indicators
related
to
this
suspicious
activity.
As
of
this
publication,
CTU
researchers
cannot
independently
verify
an
association
between
the
CERTFA
indicators
and
the
@SaShokouhi
account.
However,
these
indicators
align
with
patterns
observed
in
past
COBALT
ILLUSION
activity.
Multiple
targets
reported
that
the
SaShokouhi
persona
engaged
them
in
discussion
(see
Figure
4).
The
interactions
included
requests
to
visit
multiple
links.
Figure
4.
Twitter
user
reporting
that
SaShokouhi
had
contacted
them.
(Source:
Secureworks)
It
is
common
for
COBALT
ILLUSION
to
interact
with
its
targets
multiple
times
over
different
messaging
platforms.
The
threat
actors
first
send
benign
links
and
documents
to
build
rapport.
They
then
send
a
malicious
link
or
document
to
phish
credentials
for
systems
that
COBALT
ILLUSION
seeks
to
access.
These
systems
include
online
email
services,
social
media
services,
and
other
systems
used
by
the
target.
Phishing
and
bulk
data
collection
are
core
tactics
of
COBALT
ILLUSION
operations.
In
August
2022,
Human
Rights
Watch
reported
that
COBALT
ILLUSION
targeted
their
staff
and
obtained
user
credentials.
The
threat
actors
then
used
the
Google
Takeout
service
to
export
data
from
the
various
services
associated
with
the
compromised
account,
including
email,
cloud
data
storage,
and
contacts.
This
information
could
feed
into
additional
rounds
of
phishing
attacks,
targeting
users
of
interest
who
have
had
contact
with
the
initial
victim.
In
December
2021,
the
Google
Threat
Analysis
Group
(TAG)
reported
on
COBALT
ILLUSION’s
use
of
the
custom
HYPERSCRAPE
(also
known
as
EmailDownloader)
tool
to
steal
user
data
from
Gmail,
Yahoo,
and
Microsoft
accounts.
PwC
identified
a
similar
tool
called
TelegramGrabber
that
enabled
bulk
data
collection
from
Telegram
accounts
after
the
threat
actor
had
obtained
the
victim’s
credentials.
Data
stolen
from
victims’
accounts
could
be
used
to
inform
intelligence
priorities
for
the
IRGC-IO
and
other
COBALT
ILLUSION
customers.
To
mitigate
exposure
to
this
malware,
CTU
researchers
recommend
that
organizations
use
available
controls
to
review
and
restrict
access
using
the
indicators
listed
in
Table
1.
Note
that
IP
addresses
can
be
reallocated.
The
domains
and
IP
addresses
may
contain
malicious
content,
so
consider
the
risks
before
opening
them
in
a
browser.
| Indicator | Type | Context |
|---|---|---|
| 148.251.130.18 |
IP address |
COBALT ILLUSION indicator published by CERTFA |
| 88.198.96.214 |
IP address |
COBALT ILLUSION indicator published by CERTFA |
| 46.4.95.242 |
IP address |
COBALT ILLUSION indicator published by CERTFA |
| 88.198.96.210 |
IP address |
Hosting COBALT ILLUSION domains |
| 88.198.96.211 |
IP address |
Hosted COBALT ILLUSION domains |
| 88.198.96.213 |
IP address |
Hosted COBALT ILLUSION domains |
| node-dashboard.site |
Domain name |
COBALT ILLUSION indicator published by CERTFA |
| node-panel.site |
Domain name |
COBALT ILLUSION indicator published by CERTFA |
| stellar-stable-faith.top |
Domain name |
COBALT ILLUSION indicator published by CERTFA |
| funeral-engineering-expression.top |
Domain name |
COBALT ILLUSION indicator published by CERTFA |
| compact-miracle-abounds.top |
Domain name |
COBALT ILLUSION indicator published by CERTFA |
| live-redirect-system.top |
Domain name |
Suspected COBALT ILLUSION infrastructure |
| bonny-marvels-authentic.top |
Domain name |
Suspected COBALT ILLUSION infrastructure |
| review-status-plan.online |
Domain name |
Suspected COBALT ILLUSION infrastructure |
| sincerely-sensation-outdo.top |
Domain name |
Suspected COBALT ILLUSION infrastructure |
| progress-captivate-amply.top |
Domain name |
Suspected COBALT ILLUSION infrastructure |
Table
1.
Indicators
for
this
threat.
Read
more
about
Iranian
threats
in
the
2022
State
of
the
Threat
report.
If
you
need
urgent
assistance
with
an
incident,
contact
the
Secureworks
Incident
Response
team.
About Author
