In a recent cybersecurity development, security researchers from CrowdStrike have identified a new campaign conducted by Imperial Kitten, a threat actor associated with the Islamic Revolutionary Guard Corps (IRGC), targeting transportation, logistics, and technology companies. Imperial Kitten has been active since 2017 and has previously targeted organizations in various sectors, including defense, telecommunications, energy, and consulting services.

According to the researchers, the recent attacks were detected through infrastructure overlaps with past campaigns, observed tactics, techniques, and procedures (TTPs), as well as the use of the IMAPLoader malware and phishing lures. The attacks, which took place in October, involved malicious Microsoft Excel attachments sent via phishing emails with a 'job recruitment' theme.

Once the initial breach occurred, Imperial Kitten proceeded to move laterally within the compromised networks, utilizing tools like PAExec for remote process execution and NetScan for network reconnaissance. Additionally, the attackers employed ProcDump to extract credentials from the system memory.

CrowdStrike has confirmed that the October 2023 attacks specifically targeted Israeli organizations following the Israel-Hamas conflict. In prior activities, Imperial Kitten employed watering hole attacks by compromising Israeli websites and using JavaScript code to collect information about visitors, thus profiling potential targets based on browser data and IP address.

The Threat Intelligence team at PricewaterhouseCoopers (PwC) has reported that Imperial Kitten's previous campaigns took place between 2022 and 2023, focusing on the maritime, shipping, and logistics sectors. Some victims were infected with the IMAPLoader malware, which introduced additional payloads.

CrowdStrike has observed several methods employed by the hackers to breach networks, including leveraging public exploit code, utilizing stolen VPN credentials, conducting SQL injections, and deploying phishing emails targeted at specific organizations.

Both CrowdStrike and PwC provide indicators of compromise (IoCs) for the malware used and the adversary's infrastructure involved in the observed attacks. These IoCs can assist organizations in protecting themselves against Imperial Kitten's cyber threats.

As cyberattacks continue to pose a significant risk to businesses, it is crucial for organizations to remain vigilant and adopt robust cybersecurity measures to safeguard their sensitive information and infrastructure.

Disclaimer: The information presented in this article is based on the findings and reports of cybersecurity researchers at CrowdStrike and PwC.