- TA456, an Iranian-state aligned actor, spent years masquerading as the persona “Marcella Flores” in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.
- The malware, dubbed by Proofpoint as LEMPO, was designed to establish persistence, perform reconnaissance, and exfiltrate sensitive information.
- TA456 actively targets smaller subsidiaries and contractors in support of efforts to compromise larger defense contractors using a supply chain compromise.
- While targeting defense contractors is not new for TA456, this campaign uniquely establishes the group as one of the most determined Iranian-aligned threat actors tracked by Proofpoint because of its significant use of social engineering, cross platform communication, and general persistence.
Proofpoint researchers have identified a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456. Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain. Designed to conduct reconnaissance on the target’s machine, the macro-laden document contained personalized content and demonstrated the importance TA456 placed on the target. Once the malware, which is an updated version of Liderc that Proofpoint has dubbed LEMPO, establishes persistence, it can perform reconnaissance on the infected machine, save the reconnaissance details to the host, exfiltrate sensitive information to an actor-controlled email account via SMTPS, and then cover its tracks by deleting that day’s host artifacts.
This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations. In mid-July, Facebook disrupted a network of similar personas they attributed to Tortoiseshell. LEMPO, the malware, whose delivery Proofpoint disrupted, along with the network of personas, are attributed to TA456. This actor is believed to be loosely aligned with the Islamic Revolutionary Guard Corps (IRGC) via association with the Iranian company Mahak Rayan Afraz (MRA), according to Facebook’s analysis.
Proofpoint data shows that over at least eight months, “Marcella (Marcy) Flores” sent TA456’s target benign email messages, photographs, and a video to establish her veracity and build rapport with the intended victim. At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL. In early June, a TA456 actor self-identified as “Marcy” sent another OneDrive link, this time masquerading as a diet survey (Figure 1).
Figure 1. The diet survey email sent to the target.
The OneDrive URL delivered a .rar file (dfddbd09ccea598c4841f1abbc927f1c661d85d4bd9bcb081f7c811212d8a64a) containing a .xlsm (Figure 2) (612bdfb4f6eaf920a7a41fa06de8d99f6ecf6ad147374efa6eb1d5aff91df558). Using previous conversation topics with the target, the .xlsm purported to be pandemic diet assistance and requested that the user enable content to access the privacy protected portions of the file. If the content is enabled, the macro will create and hide the directory \Appdata\Perflog and then write LEMPO, a very simple but ingenious plaintext stealer comprised of Visual Basic Script (VBS), to that directory (Schedule.vbs 1534f95f49ddf2ada38561705f901e5938470c1678d6a81f0f4177ba7412ef5b). After authoring the VBS, the Excel macro will add a registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Schedule /t REG_SZ /d C:\Users\[redacted_username]\AppData\Perflog\Schedule.vbs /f) to ensure LEMPO is run upon user login.
Figure 2. The diet survey .xlsm file.
The macro in the Excel document also contains code to connect via HTTP POST to showip[.]net. The response, along with the results of "net use" and "netstat -nao" are stored in a hidden sheet within the .xlsm, reminiscent of the technique described in Facebook's July 15th announcement. Proofpoint analysts assess this may indicate code partially remaining from an earlier iteration of the tool that came before LEMPO or a desire for redundancy in TA456's reconnaissance tooling.
The LEMPO reconnaissance tool is a Visual Basic Script dropped by an Excel macro. Leveraging built-in Windows commands it enumerates the host in a variety of ways, records the collected data and then exfiltrates the intelligence to an actor-controlled email account using Microsoft’s Collaboration Data Objects (CDO). CDO, previously known as OLE Messaging or Active Messaging, is an application programming interface included with Microsoft Windows and Microsoft Exchange Server products. While most of this analysis is based off the sample blocked by Proofpoint (1534f95f49ddf2ada38561705f901e5938470c1678d6a81f0f4177ba7412ef5b) in June 2021, we also identified a similar sample (da65aa439e90d21b2cf53afef6491e7dcdca19dd1bbec50329d53f3d977ee089) uploaded to a public malware repository with an upload date of June 2020.
LEMPO collects the following information and records it to %temp%\Logs.txt
- Date and time
- Computer and usernames
- System information via WMIC os, sysaccount, environment, and computer system commands
- Antivirus products located in the “SecurityCenter2” path
- Software and version
- Net users and user details
Following the connectivity check, detailed in the following section, LEMPO writes the following to %temp%\Logs.txt
- Firewall rules
- List of running processes via Powershell Get-Process
- IP config
- Domain hosts, users, computers, and local groups
- Trusted domains
- Network shares
- Arp cache
- External IP (via showip.net)
- Connections (netstat -nao)
Prior to the network focused reconnaissance, LEMPO checks connectivity by reaching out to Yandex, Google, Yahoo, Github, Mailchimp, Mega, Arxiv (an online academic repository specializing in electrical engineering and scientific research), and Twitter using ping and curl (Figure 3). The June 2020 version of LEMPO includes only a connectivity check to ford[.]com.
After finishing that additional recon, LEMPO moves Logs.txt from %temp% to \Perflog. LEMPO then checks to ensure the Registry Key previously mentioned has been added and then uses the findstr command to identify files containing “user,” “pass,” and “vpn.” The findstr command returns any matching lines which could collect usernames and passwords from the computer. Logs.txt is then compressed into Logs.zip
LEMPO uses hardcoded credentials with Microsoft’s CDO to exfiltrate the information over SMTPS on port 465. In the June 2021 version of LEMPO, TA456 uses the same Yahoo email address to send and receive the exfiltrated information. In the 2020 version of LEMPO, TA456 sent from a Yandex account to a Tutanota email account. Notably, the Yandex email within the 2020 version of the LEMPO implant masqueraded as large technology company focused on supporting the energy industry. After exfiltrating the information, LEMPO sleeps for 30 seconds and then deletes both Logs.txt and Logs.zip.
There’s Something About Marcy
“Marcella (Marcy) Flores” was conversing with the targeted aerospace employee since at least November 2020 and was friends with them on social media since at least 2019. Besides the Gmail account used for attempted malware delivery, Marcella maintained a now suspended Facebook profile.