Description
[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.(Citation: Symantec Tortoiseshell 2019) [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
Techniques Used (TTPs)
- T1566.003 — Spearphishing via Service (initial-access)
- T1505.003 — Web Shell (persistence)
- T1204.002 — Malicious File (execution)
- T1584.006 — Web Services (resource-development)
- T1583.003 — Virtual Private Server (resource-development)
- T1082 — System Information Discovery (discovery)
- T1608.004 — Drive-by Target (resource-development)
- T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (exfiltration)
- T1005 — Data from Local System (collection)
- T1585.001 — Social Media Accounts (resource-development)
- T1585.002 — Email Accounts (resource-development)
- T1124 — System Time Discovery (discovery)
- T1598.003 — Spearphishing Link (reconnaissance)
- T1189 — Drive-by Compromise (initial-access)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1059.001 — PowerShell (execution)
- T1583.001 — Domains (resource-development)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1583.004 — Server (resource-development)
Total TTPs: 19
Malware & Tools
Malware: IMAPLoader