In their regular threat hunting exercise, Insikt Group, a threat research division of Recorded Future, found a new threat campaign by the notorious Iran-nexus threat activity group known as the TAG-56. The threat research branch first came across a phishing campaign, and upon following the trail, they found that it was linked to the notorious Iran-nexus threat activity group TAG-56.
According to researchers, the threat actors were impersonating a “Microsoft registration form for the 2022 Sir Bani Yas Forum hosted by the government of the United Arab Emirates (UAE).” The URLs used by the threat actors were usually shortened to mask the words and letters to trick users into clicking them. The links were able to lead the victims to visit malicious websites that aimed to steal the user credential.
Technical analysis of the phishing campaign by TAG-56
TAG-56 is believed to be backed by proficient hacker groups. In their research, the Group identified five domains used to create fraudulent websites in the campaign. On November 3, 2022, Insikt Group found URL scans from a UAE-based user who happens to be using the same Microsoft registration form detected by the threat research company.
According to the research team, the threat actors were using spear phishing messages to target their victims wherein they lured the victims into clicking the links that take them to an apex domain name — mailer-daemon[.]net — where the spoofed registration page is hosted. The threat actors used public domain providers and hosting services such as Namecheap to run their fake websites and constantly changed their addresses to avoid detection.
Additionally, Insikt Group found four more domains associated with the campaign and used the same domain name convention as mailer-daemon[.]net. Except for this domain, all the other three used Namecheap’s shared hosting services to host the websites. According to researchers’ resources, open-source research, in this case, believes that members of the Phosphorus APT group used the same technique of employing “mailerdaemon[.]me” and “mailer-daemon-message[.] co-like domains to target victims.