September 14, 2022

According to Proofpoint’s researchers, attackers are now using a “multi-persona impersonation’ phishing technique to trick victims into believing it is a realistic email conversation. For the MPI phishing technique, attackers use multiple personas and email accounts.

The phishing technique is used by the Iranian threat group TA453. This technique is cumbersome and requires a great deal of effort from the attackers to carry out the attack, because each target must be involved in a sophisticated realistic conversation conducted by fake personas, or sock puppet.

The technique is valuable, however, because it creates a realistic exchange of e-mails that makes the conversation seem legitimate.

After analyzing various case scenarios in which the technique was used, the researchers discovered that the attackers used personal email addresses from Gmail, Outlook, AOL, Hotmail for both senders and CCed persons instead of addresses from the fake institutions.

The document victims were tricked into downloading via OneDrive links in TA453’s malicious campaign are password-protected files that perform template injection.

“The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as username, list of running processes along with the user’s public IP from my-ip.io and then exfiltrates that information using the Telegram API,” the report explains.

The sources for this piece include an article in BleepingComputer.