Security News Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector

Captain Awesome

Captain Awesome

Level 26
Thread author
Verified
Top Poster
Well-known
May 7, 2016
1,590
Content source
https://thehackernews.com/2025/03/suspected-iranian-hackers-used.html?m=1
  • Like
Reactions: Brownie2019, simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,908
Enabling Smart App Control on Windows 11, or advanced Windows features (Windows Policies, AppLocker, SRP, WDAC) could prevent this concrete attack flow.

1741086262035.png


But, this probably would not stop the attackers, just as ATP features of AVs.
The attackers were highly motivated to compromise a few targets in "the United Arab Emirates with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure". In such a case it is always possible to bypass the protection, assuming that the attacker knows the details of applied security.:confused:
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Fel Grossi and Captain Awesome
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,908
According to Proofpoint, the security used by the targetted organizations was not at a high level:

Detection opportunities​

This malware infection chain offers a variety of opportunities for detection. They include, but are not limited to:
  • LNK files executing from recently created or unzipped directories
  • LNK files executing from a recently unzipped directory
  • URL file in the Reg runkey
  • URL file launching any file besides a web browser
  • Executable file accessing a JPGfile from a user directory
Click to expand...
 
  • Like
  • +Reputation
Reactions: simmerskool and Captain Awesome
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,908
It is interesting why AVs do not block such CmdLines like:
C:\Windows\System32\cmd[.]exe /c "mshta.exe" %cd%\anyfile.pdf

A similar CmdLine was used in the initial shortcut of the attack. I do not believe any benign application would like to use Mshta LOLBin to open HTA files disguised as PDF files. :unsure:
 
Last edited:
  • +Reputation
Reactions: Captain Awesome and simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top