1. Home
  2. Groups
  3. CURIUM

CURIUM

CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East.[1] CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[2]

ID: G1012
Associated Groups: Crimson Sandstorm, TA456, Tortoise Shell, Yellow Liderc
Contributors: Denise Tan; Wirapong Petshagun
Version: 3.0
Created: 13 January 2023
Last Modified: 02 October 2024
Version Permalink

Associated Group Descriptions

Name Description
Crimson Sandstorm

[3]
TA456

[3][4]
Tortoise Shell

[3]
Yellow Liderc

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

CURIUM created domains to facilitate strategic website compromise and credential capture activities.[5]
.003 Acquire Infrastructure: Virtual Private Server

CURIUM created virtual private server instances to facilitate use of malicious domains and other items.[5]
.004 Acquire Infrastructure: Server

CURIUM has created dedicated servers for command and control and exfiltration purposes.[5]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.[1]
Enterprise T1584 .006 Compromise Infrastructure: Web Services

CURIUM has compromised legitimate websites to enable strategic website compromise attacks.[5]
Enterprise T1005 Data from Local System

CURIUM has exfiltrated data from a compromised machine.[2]
Enterprise T1189 Drive-by Compromise

CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader.[5]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.[2]
.002 Establish Accounts: Email Accounts

CURIUM has created dedicated email accounts for use with tools such as IMAPLoader.[5]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

CURIUM has used SMTPS to exfiltrate collected data from victims.[5]
Enterprise T1041 Exfiltration Over C2 Channel

CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.[5]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

CURIUM has used phishing with malicious attachments for initial access to victim environments.[5]
.003 Phishing: Spearphishing via Service

CURIUM has used social media to deliver malicious files to victims.[2]
Enterprise T1598 .003 Phishing for Information: Spearphishing Link

CURIUM used malicious links to adversary-controlled resources for credential harvesting.[5]
Enterprise T1505 .003 Server Software Component: Web Shell

CURIUM has been linked to web shells following likely server compromise as an initial access vector into victim networks.[1]
Enterprise T1608 .004 Stage Capabilities: Drive-by Target

CURIUM used strategic website compromise to fingerprint then target victims.[5]
Enterprise T1082 System Information Discovery

CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.[1]
Enterprise T1124 System Time Discovery

CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.[5]
Enterprise T1204 .002 User Execution: Malicious File

CURIUM has lured users into opening malicious files delivered via social media.[2]

Software

ID Name References Techniques
S1152 IMAPLoader IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.[5] Application Layer Protocol: Mail Protocols, Create or Modify System Process, Hide Artifacts: Hidden Window, Hijack Execution Flow: AppDomainManager, Ingress Tool Transfer, Native API, Scheduled Task/Job: Scheduled Task, System Information Discovery, Windows Management Instrumentation

References

  1. Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.
  2. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  1. Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024.
  2. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.