Published September 19, 2022
Author: Ash Khan

Sock pockets, a new campaign by hackers.

Iranian group of hackers is using phishing techniques where these hackers use multiple email accounts and personas that target into thinking people the conversation is real. Hackers send an email while CCing some other email, that is under their control, and start a fake conversation.

The researchers named it “Multiple- persona impersonation (MPI)”. According to researchers, hackers are using the “social proof” technique where they can obscure logical thinking by making people trust them about the conversation.

 TA453 is an Iranian group of hackers who attacks the academics and policy experts of the Middle east. These sock puppets put in extra effort to make the conversation look more real and make people believe it.

The researchers have seen many examples where the TA453 group made it a more realistic conversation by CCing a persona in their control. In one example, sock puppets targeted two academics who were specializing in nuclear arms controls. They sent such an email containing a document and the document contained all the malicious macros. This way they made phishing attacks even more realistic and gained the trust of the receiver. The hackers used personal emails of both the sender and CCing person instead of using any impersonated profiles that make the receiver suspicious.

The hackers sent files that were password protected and can be downloaded through one drive. Such files play the role of template injection. According to researchers, these files have three macros i.e Module1.bas, Module2.bas and ThisDocument.cls. These macros collect information like a list of running processes and users’ I.P addresses that are further ex-filtrated by Telegram API and usernames. The researchers couldn’t detect how they get access to all the information from the host’s devices but the researchers assumes that they do it by putting coding on their devices.