Full Report
The Iran-nexus threat actor known as UNC2428 has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social engineering campaign aimed at Israel in October 2024. Google-owned Mandiant described UNC2428 as a threat actor aligned with Iran that engages in cyber espionage-related operations. The intrusion set is said to have distributed the malware through a "complex
Analysis Summary
# Threat Actor: UNC2428
## Attribution & Identity
- **Identification/Attribution:** Iran-nexus threat actor aligned with Iran, believed to be operating on behalf of the Iranian Ministry of Intelligence and Security (MOIS).
- **Known Aliases/Associations:** Mentioned alongside other Iran-nexus clusters such as Black Shadow (activity overlap), Cyber Toufan, UNC3313 (affiliated with MuddyWater), UNC1549, and APT42 (Charming Kitten).
## Activity Summary
UNC2428 was observed delivering the **MURKYTOUR** backdoor in October 2024 via a job-themed social engineering campaign targeting Israel.
## Tactics, Techniques & Procedures
- **Social Engineering:** Utilized complex deception techniques, posing as a recruitment opportunity from the Israeli defense contractor, Rafael.
- **Luring:** Redirected interested individuals to a site impersonating Rafael, prompting them to download a "tool" (installer) to assist with the job application.
- **Malware Delivery via Installer:** The tool, named "RafaelConnect.exe," was an installer dubbed **LONEFLEET**.
- **GUI Disguise:** LONEFLEET presented a Graphical User Interface (GUI) to the victim to enter personal information and submit a resume, designed to disguise malware execution and installation as a legitimate application.
- **Execution Chain:** Upon submission, the MURKYTOUR backdoor launched in the background via a launcher referred to as **LEAFPILE**, establishing persistent access.
## Targeting
- **Sectors:** Not explicitly detailed for UNC2428 alone, but the associated broader Iranian activity targets academia, tourism, communications, finance, transportation, healthcare, government, and technology (based on associated Black Shadow activity).
- **Geography:** Israel.
- **Victims:** Individuals interested in recruitment opportunities at the Israeli defense contractor, Rafael.
## Tools & Infrastructure
- **Malware Families:**
- Backdoor: **MURKYTOUR**
- Installer: **LONEFLEET**
- Launcher: **LEAFPILE**
- **Infrastructure:** Not explicitly detailed for UNC2428's C2, but the overall campaign relied on impersonating a legitimate defense contractor's website.
## Implications
The use of sophisticated social engineering combined with GUIs designed to mimic legitimate software installers ("RafaelConnect.exe") reduces suspicion and increases the likelihood of successful execution of backdoors like MURKYTOUR. UNC2428 is part of a concentrated effort by Iranian actors targeting entities within Israel throughout 2024.
## Mitigations
- **Vigilance on Recruitment Lures:** Exercise extreme caution with unsolicited job offers, especially those requiring the download and execution of seemingly legitimate executables from external links.
- **Software Verification:** Be wary of installation prompts that merge software installation/data submission with standard application procedures.
- **Endpoint Detection:** Ensure robust Endpoint Detection and Response (EDR) solutions are in place to monitor for background process execution following legitimate-looking application launches, especially when GUIs are masked as installers.