Phishing attackers are now using multiple email accounts to start group conversations with you

A laptop showing lots of email notifications
(Image credit: Shutterstock)

Iranian state-sponsored hackers have come up with a new sleazy trick to get people into downloading malicious attachments, researchers are warning. 

Cybersecurity experts from Proofpoint found the TA453 threat actor, allegedly linked to the Islamic Revolutionary Guard Corps (IRGC), is engaging in “multi-persona impersonation”, or “sock-puppeting”, to get victims into downloading malware.

In other words, they’re having email conversations with themselves, while letting the victims listen on the sides, before tricking them into downloading a file that wasn’t even necessarily sent to them.

Faking a conversation

Here’s how it works: the threat actors would create multiple fake email accounts, stealing the identities of scientists, directors, and other high-profile individuals. Then, they’d send an email from one of the addresses to the other, CC-ing the victim in the process. A day or two later, they’d reply to that email, from the second address that also belongs to them. 

That way the victim, essentially caught in the middle of an email thread, could lower their guard and get a fake sense of legitimacy about the whole thing. After a short back-and-forth, one of the participants would send an attachment to other participants, and should the victim download and run it on their endpoints, they’d get a .DOCX file filled with dangerous macros.

The biggest red flag in this campaign is the fact that all of the emails used in the attack are created on major email providers, such as Gmail, Outlook, or Hotmail, instead of being on the domains of the impersonated institutions. 

"The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls," the researchers explained. "The macros collect information such as username, list of running processes along with the user's public IP from my-ip.io and then exfiltrates that information using the Telegram API."

Although they couldn’t verify it, the researchers believe that the threat actors engage in additional exploitation further down the road.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.