Mint Sandstorm is known<\/a> to pursue targets in both the private and public sectors, including<\/a> political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East. Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.<\/p>\n\n\n\n Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational structure. Microsoft assesses that Mint Sandstorm is associated with an intelligence arm of Iran\u2019s military,<\/a> the Islamic Revolutionary Guard Corps (IRGC), an assessment that has been corroborated by multiple credible sources including Mandiant<\/a>, Proofpoint<\/a>, and SecureWorks<\/a>. In 2022, the US Department of Treasury sanctioned<\/a> elements of Mint Sandstorm for past cyberattacks citing sponsorship from the IRGC.<\/p>\n\n\n\n Today, Microsoft is reporting on a distinct Mint Sandstorm subgroup that specializes in hacking into and stealing sensitive information from high-value targets. This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran\u2019s national priorities.<\/p>\n\n\n\n Microsoft Threat Intelligence consistently tracks threat actor activity, including Mint Sandstorm and its subgroups, and works across Microsoft Security products and services to build detections into our products that improve protection for customers. As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft is sharing details on these operations to raise awareness on the risks associated with their activity and to empower organizations to harden their attack surfaces against tradecraft commonly used by this Mint Sandstorm subgroup.<\/p>\n\n\n\n From late 2021 to mid-2022, this Mint Sandstorm subgroup moved from reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity potentially in support of retaliatory destructive cyberattacks. This targeting was likely in response to Iran\u2019s attribution of cyberattacks that halted maritime traffic at a major Iranian seaport<\/a> in May 2020, delayed Iranian trains<\/a> in July 2021, and crashed gas station payment systems<\/a> throughout Iran in late 2021. Of note, a senior cybersecurity-focused IRGC official and others close to the Iranian Supreme Leader pinned the attack affecting gas station payment systems<\/a> on Israel and the United States.<\/p>\n\n\n\n This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021. The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting<\/a> such groups are less bounded in their operations. Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran\u2019s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity. <\/em><\/strong><\/p>\n\n\n\n Microsoft has observed multiple attack chains and various tools in compromises involving this Mint Sandstorm subgroup. The TTPs detailed below are a sampling of new or otherwise notable tradecraft used by this actor.<\/p>\n\n\n\n Microsoft has increasingly observed this Mint Sandstorm subgroup adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in internet-facing applications. Until 2023, this subgroup had been slow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs, often taking several weeks to successfully weaponize exploits for vulnerabilities like Proxyshell and Log4Shell. However, beginning in early 2023, Microsoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs. For example, Mint Sandstorm began exploiting CVE-2022-47966<\/a> in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986<\/a> in Aspera Faspex within five days of the POC being made public on February 2, 2023.<\/p>\n\n\n\n While this subgroup has demonstrated their ability to rapidly incorporate new public POCs into their playbooks, Microsoft has also observed that Mint Sandstorm continues to use older vulnerabilities, especially Log4Shell, to compromise unpatched devices. As this activity is typically opportunistic and indiscriminate, Microsoft recommends that organizations regularly patch vulnerabilities with publicly available POCs, regardless of how long the POC has been available.<\/strong><\/strong><\/p>\n\n\n\n After gaining initial access to an organization by exploiting a vulnerability with a public POC, this Mint Sandstorm subgroup deploys a custom PowerShell script designed for discovery. In some cases, the subgroup does not act on the information they collect, possibly because they assess that a victim does not meet any targeting requirements or because the subgroup wishes to wait and focus on more valuable targets. In cases where Mint Sandstorm operators continue their pursuit of a given target, Microsoft typically observes one of two possible attack chains.<\/p>\n\n\n\n Since 2022,Microsoft has observed this Mint Sandstorm subgroup using two custom implants, detected by Microsoft security products as Drokbk and Soldier, to persist in target environments and deploy additional tools. Drobkbk and Soldier both use Mint Sandstorm-controlled GitHub repositories to host a domain rotator containing the operators\u2019 C2 domains. This allows Mint Sandstorm to dynamically update their C2 infrastructure, which may help the operators stay a step ahead of defenders using list-based domain blocking.<\/p>\n\n\n\n In certain cases, this Mint Sandstorm subgroup has used TTPs outside of these attack chains, notably when they have failed to achieve short-term objectives. In one instance, Microsoft also observed the subgroup using TTPs from both attack chains in a single compromised environment. However, in most cases, Mint Sandstorm activity displays one of the above discussed attack chains.<\/p>\n\n\n\n Microsoft has also observed this Mint Sandstorm subgroup using a distinct attack chain involving low-volume phishing campaigns and a third custom implant. <\/strong>In these operations, the group crafts bespoke phishing emails, often purporting to contain information on security policies that affect countries in the Middle East, to deliver weaponized documents to individuals of interest. Recipients are typically individuals affiliated with high-profile think tanks or universities in Israel, North America, or Europe with ties to the security and policy communities. Unlike their initial exploitation of vulnerable internet-facing applications, which is largely indiscriminate and affects organizations across sectors and geographies, activity associated with this campaign was highly targeted and affected fewer than 10 organizations..<\/p>\n\n\n\n The initial emails are most commonly lures designed to social engineer recipients into clicking a OneDrive link hosting a PDF spoofed to resemble information on a topic involving security or policy in the Middle East. The PDF contains a link to a macro-enabled template file (dotm) hosted on Dropbox. This file has been weaponized with macros to perform remote template injection, a technique that allows operators to obtain and launch a payload from a remote C2, often OneDrive. Template injection is an attractive option for adversaries looking to execute malicious code without drawing scrutiny from defenders. This technique can also be used to persist in a compromised environment if an adversary replaces a default template used by a common application.<\/p>\n\n\n\n In these attacks, Microsoft has observed the Mint Sandstorm subgroup using CharmPower, a custom implant, in attacks that began with targeted phishing campaigns. <\/strong>CharmPower is a modular backdoor written in PowerShell that this subgroup delivers in phishing campaigns that rely on template injection<\/a>. CharmPower can read files, gather information on an infected host, and send details back to the attackers. Reporting<\/a> from Checkpoint<\/a> indicates that at least one version of CharmPower pulls data from a specific text file that contains a hardcoded victim identifier. <\/p>\n\n\n\n Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. While effects vary depending on the operators\u2019 post-intrusion activities, even initial access can enable unauthorized access and facilitate further behaviors that may adversely impact the confidentiality, integrity, and availability of an environment. A successful intrusion creates liabilities and may harm an organization\u2019s reputation, especially those responsible for delivering services to others such as critical infrastructure providers, which Mint Sandstorm has targeted in the past. <\/p>\n\n\n\n As these operators increasingly develop and use sophisticated capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these operators. Microsoft will continue to monitor Mint Sandstorm activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below and shared with the broader security community to help detect and prevent further attacks.<\/p>\n\n\n\n The techniques used by this subset of Mint Sandstorm can be mitigated through the following actions:<\/p>\n\n\n\n Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as Microsoft Defender External Attack Surface Management<\/a>, can be used to improve data.<\/p>\n\n\n\n Vulnerabilities observed in recent campaigns attributed to this Mint Sandstorm subgroup that defenders can identify and mitigate include:<\/p>\n\n\n\n This Mint Sandstorm subgroup has demonstrated its ability to rapidly adopt newly reported N-day vulnerabilities into its playbooks. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management<\/a> capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.<\/p>\n\n\n\n Microsoft 365 Defender customers can also turn on attack surface reduction rules<\/a> to harden their environments against techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender Antivirus<\/a> customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in this report.<\/p>\n\n\n\n Additionally, in 2022, Microsoft changed the default behavior<\/a> of Office applications to block macros in files from the internet, further minimizing the attack surface for operators like this subgroup of Mint Sandstorm.<\/p>\n\n\n\n Microsoft Defender Antivirus<\/strong><\/p>\n\n\n\n Microsoft Defender Antivirus detects the Drokbk implant as the following malware:<\/p>\n\n\n\n Microsoft Defender Antivirus detects the Soldier implant as the following malware:<\/p>\n\n\n\n Microsoft Defender Antivirus detects the CharmPower implant as the following malware:<\/p>\n\n\n\n Microsoft Defender for Endpoint<\/strong><\/p>\n\n\n\n The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:<\/p>\n\n\n\n Microsoft 365 Defender<\/strong><\/p>\n\n\n\n Microsoft 365 Defender customers can run the following query to find related activity in their networks:<\/p>\n\n\n\n ManageEngine Suspicious Process Execution. <\/strong><\/p>\n\n\n Ruby AsperaFaspex Suspicious Process Execution.<\/strong><\/p>\n\n\n Log4J Wstomcat Process Execution.<\/strong><\/p>\n\n\n Encoded watcher Function<\/strong>.<\/p>\n\n\n Microsoft Sentinel<\/strong><\/p>\n\n\n\n Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy<\/a><\/p>\n\n\n\n In addition, Microsoft Sentinel customers can leverage the following content to hunt for and detect related activity in their environments:<\/p>\n\n\n\nRecent operations<\/h2>\n\n\n\n
Mint Sandstorm tradecraft<\/h2>\n\n\n\n
Rapid adoption of publicly disclosed POCs for initial access and persistence<\/h3>\n\n\n\n
![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-The-two-attack-chains-used-by-the-Mint-Sandstorm-subgroup.png\")
\n
Use of custom tools to evade detection<\/h3>\n\n\n\n
\n
Low-volume phishing campaigns using template injection<\/h3>\n\n\n\n
![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2.-Template-injection-technique.png\")
What\u2019s next<\/h2>\n\n\n\n
Mitigation and protection guidance<\/h2>\n\n\n\n
Hardening internet-facing assets and understanding your perimeter<\/h3>\n\n\n\n
\n
Reducing the attack surface<\/h3>\n\n\n\n
\n
Microsoft 365 Defender detections<\/h3>\n\n\n\n
\n
\n
\n
\n
Hunting queries<\/h3>\n\n\n\n
\nDeviceProcessEvents\n| where InitiatingProcessFileName hasprefix \"java\"\n| where InitiatingProcessFolderPath has @\"\\manageengine\\\" or InitiatingProcessFolderPath has @\"\\ServiceDesk\\\"\n| where (FileName in~ (\"powershell.exe\", \"powershell_ise.exe\") and\n (ProcessCommandLine has_any (\"whoami\", \"net user\", \"net group\", \"localgroup administrators\", \"dsquery\", \"samaccountname=\", \" echo \", \"query session\", \"adscredentials\", \"o365accountconfiguration\", \"-dumpmode\", \"-ssh\", \"usoprivate\", \"usoshared\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\", \"FromBase64String\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\", \"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\") \/\/ \"csvhost.exe\", \"ekern.exe\", \"svhost.exe\", \".dmp\"\n or ProcessCommandLine matches regex @\"[-\/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+\/=]{15,}\"))\n or (FileName =~ \"curl.exe\" and ProcessCommandLine contains \"http\")\n or (FileName =~ \"wget.exe\" and ProcessCommandLine contains \"http\")\n or ProcessCommandLine has_any (\"E:jscript\", \"e:vbscript\")\n or ProcessCommandLine has_all (\"localgroup Administrators\", \"\/add\")\n or ProcessCommandLine has_all (\"reg add\", \"DisableAntiSpyware\", @\"\\Microsoft\\Windows Defender\")\n or ProcessCommandLine has_all (\"reg add\", \"DisableRestrictedAdmin\", @\"CurrentControlSet\\Control\\Lsa\")\n or ProcessCommandLine has_all (\"wmic\", \"process call create\")\n or ProcessCommandLine has_all (\"net\", \"user \", \"\/add\")\n or ProcessCommandLine has_all (\"net1\", \"user \", \"\/add\")\n or ProcessCommandLine has_all (\"vssadmin\", \"delete\", \"shadows\")\n or ProcessCommandLine has_all (\"wmic\", \"delete\", \"shadowcopy\")\n or ProcessCommandLine has_all (\"wbadmin\", \"delete\", \"catalog\")\n or (ProcessCommandLine has \"lsass\" and ProcessCommandLine has_any (\"procdump\", \"tasklist\", \"findstr\"))\n | where ProcessCommandLine !contains \"download.microsoft.com\" and ProcessCommandLine !contains \"manageengine.com\" and ProcessCommandLine !contains \"msiexec\"\n<\/pre><\/div>\n\n\n\nDeviceProcessEvents\n| where InitiatingProcessFileName hasprefix \"ruby\"\n| where InitiatingProcessFolderPath has @\"aspera\"\n| where (FileName in~ (\"powershell.exe\", \"powershell_ise.exe\") and\n (ProcessCommandLine has_any (\"whoami\", \"net user\", \"net group\", \"localgroup administrators\", \"dsquery\", \"samaccountname=\", \" echo \", \"query session\", \"adscredentials\", \"o365accountconfiguration\", \"-dumpmode\", \"-ssh\", \"usoprivate\", \"usoshared\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\", \"FromBase64String\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\", \"set-MpPreference\", \"add-MpPreference\", \"certutil\", \"bitsadmin\", \"csvhost.exe\", \"ekern.exe\", \"svhost.exe\", \".dmp\")\n or ProcessCommandLine matches regex @\"[-\/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+\/=]{15,}\"))\n or (FileName =~ \"curl.exe\" and ProcessCommandLine contains \"http\")\n or (FileName =~ \"wget.exe\" and ProcessCommandLine contains \"http\")\n or ProcessCommandLine has_any (\"E:jscript\", \"e:vbscript\")\n or ProcessCommandLine has_all (\"localgroup Administrators\", \"\/add\")\n or ProcessCommandLine has_all (\"reg add\", \"DisableAntiSpyware\", @\"\\Microsoft\\Windows Defender\")\n or ProcessCommandLine has_all (\"reg add\", \"DisableRestrictedAdmin\", @\"CurrentControlSet\\Control\\Lsa\")\n or ProcessCommandLine has_all (\"wmic\", \"process call create\")\n or ProcessCommandLine has_all (\"net\", \"user \", \"\/add\")\n or ProcessCommandLine has_all (\"net1\", \"user \", \"\/add\")\n or ProcessCommandLine has_all (\"vssadmin\", \"delete\", \"shadows\")\n or ProcessCommandLine has_all (\"wmic\", \"delete\", \"shadowcopy\")\n or ProcessCommandLine has_all (\"wbadmin\", \"delete\", \"catalog\")\n or (ProcessCommandLine has \"lsass\" and ProcessCommandLine has_any (\"procdump\", \"tasklist\", \"findstr\"))\n\n<\/pre><\/div>\n\n\n\nDeviceProcessEvents\n| where InitiatingProcessFileName has \"ws_tomcatservice.exe\" and FileName !in~(\"repadmin.exe\")\n<\/pre><\/div>\n\n\n
\nDeviceProcessEvents \n| where FileName =~ \"powershell.exe\" and ProcessCommandLine hasprefix \"-e\"\n| extend SplitString = split(ProcessCommandLine, \" \")\n| mvexpand SS = SplitString \n| where SS matches regex \"^[A-Za-z0-9+\/]{50,}[=]{0,2}$\"\n| extend base64_decoded = replace(@'\\0', '', make_string(base64_decode_toarray(tostring(SS))))\n| where not(base64_decoded has_any(@\"software\\checker\", \"set folder to watch\"))\n| where base64_decoded has_all(\"$hst\", \"$prt\") or base64_decoded has_any(\"watcher\", @\"WAt`CH`Er()\")\n<\/pre><\/div>\n\n\n\n
Indicators of compromise<\/h2>\n\n\n\n