G1012 CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.5 CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.3
| Item | Value |
|---|---|
| ID | G1012 |
| Associated Names | Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc |
| Version | 3.0 |
| Created | 13 January 2023 |
| Last Modified | 02 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Crimson Sandstorm | 1 |
| TA456 | 12 |
| Tortoise Shell | 1 |
| Yellow Liderc | 4 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | CURIUM created domains to facilitate strategic website compromise and credential capture activities.4 |
| enterprise | T1583.003 | Virtual Private Server | CURIUM created virtual private server instances to facilitate use of malicious domains and other items.4 |
| enterprise | T1583.004 | Server | CURIUM has created dedicated servers for command and control and exfiltration purposes.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.5 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.006 | Web Services | CURIUM has compromised legitimate websites to enable strategic website compromise attacks.4 |
| enterprise | T1005 | Data from Local System | CURIUM has exfiltrated data from a compromised machine.3 |
| enterprise | T1189 | Drive-by Compromise | CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader.4 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.001 | Social Media Accounts | CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.3 |
| enterprise | T1585.002 | Email Accounts | CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.4 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | CURIUM has used SMTPS to exfiltrate collected data from victims.4 |
| enterprise | T1041 | Exfiltration Over C2 Channel | CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.4 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | CURIUM has used phishing with malicious attachments for initial access to victim environments.4 |
| enterprise | T1566.003 | Spearphishing via Service | CURIUM has used social media to deliver malicious files to victims.3 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.003 | Spearphishing Link | CURIUM used malicious links to adversary-controlled resources for credential harvesting.4 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | CURIUM has been linked to web shells following likely server compromise as an initial access vector into victim networks.5 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.004 | Drive-by Target | CURIUM used strategic website compromise to fingerprint then target victims.4 |
| enterprise | T1082 | System Information Discovery | CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.5 |
| enterprise | T1124 | System Time Discovery | CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | CURIUM has lured users into opening malicious files delivered via social media.3 |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1152 | IMAPLoader | IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.4 | Mail Protocols:Application Layer Protocol Create or Modify System Process Hidden Window:Hide Artifacts AppDomainManager:Hijack Execution Flow Ingress Tool Transfer Native API Scheduled Task:Scheduled Task/Job System Information Discovery Windows Management Instrumentation |
References
-
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. ↩↩↩
-
Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024. ↩
-
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. ↩↩↩↩↩
-
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024. ↩↩↩↩