Mint Sandstorm is an Iranian based nation state threat actor who has been targeting a range of verticals, but focusing on government and education, since May 2014. Mint Sandstorm often uses social engineering to build trust before launching a spear phishing attack aimed at stealing user credentials or deploying malicious scripts with the goal of searching for, and exfiltrating information of interest to the Iranian government. Mint Sandstorm has attempted to compromise cloud environments to move laterally within environments whenever possible, often using this tactic against educational institutions to increase their visibility of the compromised network.
THREAT ACTOR STRATEGIC SUMMARY
Tracked Aliases | Charming Kitten, Mint Sandstorm, Yellow Garuda, Newscaster |
Geolocation | Iran |
Primary Motivation | Nation state sponsored espionage targeting political dissidents |
Primary Targets | Government, Energy, Healthcare, Education |
Affiliated Groups | Islamic Revolutionary Guard Corps (IRGC) |
Initial Activation | May 2014 |
THREAT ACTOR TACTICAL SUMMARY
Initial Access | Spear phishing campaigns leveraging Microsoft impersonation pages to harvest credentials and MFA tokens |
Malware Deployment | Custom backdoors (NICECURL/TAMECAT) are deployed via spear phishing attachments to support code execution and datamining |
Lateral Movement | Moved into cloud environments to search for data or files which are of interest to the actor |
Impact | Data exfiltration and widespread compromise |
THREAT ACTOR IOCs
Mint Sandstorm uses social engineering and spear phishing tactics often leveraging lookalike and typo squatted domains for login pages, news sites, and URL shortening services to harvest user credentials. While this profile will include several sample domains, typo squatting tactics mean that tracking individual domains would be challenging and likely not return significant value.
Mint Sandstorm does also leverage two custom tools, often delivered via email attachments, to compromise environments and search for relevant data and information. The NICECURL and TAMECAT scripts have their associated hashes and common download URLs included.
NICECURL:
File Hashes
d5a05212f5931d50bb024567a2873642
347b273df245f5e1fcbef32f5b836f1d
2f6bf8586ed0a87ef3d156124de32757
13aa118181ac6a202f0a64c0c7a61ce7
c23663ebdfbc340457201dbec7469386
853687659483d215309941dae391a68f
Associated URLs
drive-file-share[.]site
prism-west-candy[.]glitch[.]me
TAMECAT
File Hashes
d7bf138d1aa2b70d6204a2f3c3bc72a7
081419a484bbf99f278ce636d445b9d8
c3b9191f3a3c139ae886c0840709865e
dd2653a2543fa44eaeeff3ca82fe3513
9c5337e0b1aef2657948fd5e82bdb4c3
Associated URLs
tnt200[.]mywire[.]org
accurate-sprout-porpoise[.]glitch[.]me
Malicious Domains
News Outlets
businesslnsider[.]org
eocnomist[.]com
forieqnaffairs[.]com
vanityfaire[.]org
washinqtonpost[.]press
Login Sites
acconut-signin[.]com
signin-myaccounts[.]com
drive-access[.]site
THREAT ACTOR IOCs
O365 Email Reported by User as Malware or Phish
Detection Language
KQL
Detection Summary
This detection flags emails reported by end users as possible phishing attempts.
ATT&CK Tactic(s)
Initial Access (TA0001)
ATT&CK Technique(s)
Phishing (T1566)
Spearphishing Attachment (T1566.01)
Spearphishing Link (T1566.002)
Detection Logic
Index: logs-o365*
event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish"
Multiple Okta User Authentication Events with Same Device Token Hash
Detection Language
KQL
Detection Summary
Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.
ATT&CK Tactic(s)
Defense Evasion (TA0005)
Privilege Escalation (TA0004)
ATT&CK Technique(s)
Access Token Manipulation: Token Impersonation/Theft (T1134.001)
Detection Logic
Index: logs-o365*
FROM logs-okta*
| WHERE
event.dataset == "okta.system"
AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start")
AND okta.debug_context.debug_data.dt_hash != "-"
AND okta.outcome.reason == "INVALID_CREDENTIALS"
| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason
| STATS
target_auth_count = COUNT_DISTINCT(okta.actor.id)
BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id
| WHERE
target_auth_count > 20
| SORT
target_auth_count DESC
SharePoint or OneDrive Malware File Upload
Detection Language
KQL
Detection Summary
Identifies the occurrence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries the opportunity to gain initial access to other endpoints in the environment.
ATT&CK Tactic(s)
Lateral Movement (TA0008)
ATT&CK Technique(s)
Taint Shared Content (T1080)
Detection Logic
Index: logs-o365*
event.dataset:o365.audit and event.provider:(SharePoint or OneDrive) and event.code:SharePointFileOperation and event.action:FileMalwareDetected
Windows Account or Group Discovery
Detection Language
KQL
Detection Summary
This rule identifies the execution of commands that enumerate user account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.
ATT&CK Tactic(s)
Discovery (TA0007)
ATT&CK Technique(s)
Permission Groups Discovery (T1069)
Local Groups (T1069.001)
Domain Groups (T1069.002)
Account Discovery (T1087)
Local Account (T1087.001)
Domain Account (T1087.002)
Password Policy Discovery (T1201)
Detection Logic
Index: logs-endpoint.events.process-*
process where host.os.type == "windows" and event.type == "start" and
(
(
(
(process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
(
(process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
not process.parent.name : "net.exe"
)
) and process.args : ("accounts", "group", "user", "localgroup") and not process.args : "/add"
) or
(process.name:("dsquery.exe", "dsget.exe") and process.args:("*members*", "user")) or
(process.name:"dsquery.exe" and process.args:"*filter*") or
process.name:("quser.exe", "qwinsta.exe", "PsGetSID.exe", "PsLoggedOn.exe", "LogonSessions.exe", "whoami.exe") or
(
process.name: "cmd.exe" and
(
process.args : "echo" and process.args : (
"%username%", "%userdomain%", "%userdnsdomain%",
"%userdomain_roamingprofile%", "%userprofile%",
"%homepath%", "%localappdata%", "%appdata%"
) or
process.args : "set"
)
)
) and not process.parent.args: "C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\*.ps1"
and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18"
Potential Enumeration via Active Directory Web Service
Detection Language
KQL
Detection Summary
Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
ATT&CK Tactic(s)
Discovery (TA0007)
ATT&CK Technique(s)
Remote System Discovery (TA0007)
Detection Logic
Index: logs-endpoint.events.library-*, logs-endpoint.events.network-*
sequence by process.entity_id with maxspan=3m
[library where host.os.type == "windows" and
dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not process.executable :
("?:\\windows\\system32\\dsac.exe",
"?:\\program files\\powershell\\?\\pwsh.exe",
"?:\\windows\\system32\\windowspowershell\\*.exe",
"?:\\windows\\syswow64\\windowspowershell\\*.exe",
"?:\\program files\\microsoft monitoring agent\\*.exe",
"?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
[network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
File with suspicious Extension Downloaded
Detection Language
KQL
Detection Summary
Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.
ATT&CK Tactic(s)
Initial Access (TA0001)
Defense Evasion (TA0005)
ATT&CK Technique(s)
Phishing (T1566)
Spearphishing Attachment (T1566.001)
Spearphishing Link (T1566.002)
Detection Logic
Index: logs-o365*
event.action:("FileDownloaded" or "FileUploaded" ) AND NOT file.extension:(elf or exe or Ink or sh or xls or bat or doc or pdf) AND user.name:*
Threat.Indicator.File.name Matches File.name
Threat.Indicator.File.Extension Matches File.Extension
Suspicious Outbound Connections
Detection Language
KQL
Detection Summary
This alert will trigger when firewall traffic is being sent to an IP address flagged as malicious by an external threat feed.
ATT&CK Tactic(s)
Lateral Movement (TA0008)
ATT&CK Technique(s)
Exploitation of Remote Services (T1210)
Detection Logic
Index: logs-*
source.ip:* AND destination.ip:* AND event.action:Allow
Threat.Indicator.IP Matches Destination IP
Every organization is unique, which is why we meet you where you are in your cybersecurity journey, and tailor our solutions to your needs. – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.
Comments