Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign

Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into critical infrastructure (CNI) in the Middle East. The report exposes a stealth campaign attributed to an Iranian APT group, likely Lemon Sandstorm, operating undetected for nearly two years.

The intrusion, which began as early as May 2023 and possibly traces back to May 2021, reveals a patient and methodical adversary. According to FGIR: “FGIR assessed with high confidence that an Iranian state-backed threat group was behind this intrusion, with distinct indicators and TTP overlap associated with historic campaigns linked to Lemon Sandstorm.”

The threat actors infiltrated the organization through compromised credentials, gaining access to the SSL VPN and deploying multiple web shells and custom backdoors across the infrastructure. The group exhibited an level of operational discipline, frequently rotating tools, infrastructure, and access methods.

FGIR divides the operation into four key phases:

1. Initial Foothold (May 2023 – April 2024):
   • Accessed the environment using valid credentials.
   • Deployed web shells such as default.aspx and UpdateChecker.aspx.
   • Leveraged HanifNet, a custom .NET backdoor with XOR-encrypted communications.
2. Consolidation (April – November 2024):
   • Introduced new tools like NeoExpressRAT, MeshCentral, and HXLibrary.
   • Chained proxies via plink, Ngrok, and ReverseSocks5 to evade network segmentation.
3. Adversary Response (Nov – Dec 2024):
   • Reacted to containment attempts with a surge in activity.
   • Deployed SystemBC, created reverse tunnels, and harvested additional credentials.
4. Containment Phase (Dec 2024 – Present):
   • Victims launched an eradication plan.
   • Adversaries attempted re-entry through phishing and exploitation of web servers.

Throughout the campaign, FGIR identified at least five novel malware families, including:

1. HanifNet – A .NET backdoor masquerading as a Microsoft service.
2. NeoExpressRAT – A stealthy Remote Access Trojan loaded via DLL side-loading using format.com.
3. HXLibrary – A malicious IIS module communicating with C2 via Google Docs URLs.
4. RemoteInjector – A loader for Havoc, used for stealth command execution.
5. CredInterceptor – A DLL password harvester using LSASS hooks.

The attackers also modified legitimate OWA JavaScript files (flogon.js) to silently siphon credentials, cleverly masquerading malicious scripts as legitimate log entries.

“The difference between the two web shell implementations… indicates that the adversary may perform code development in parallel with multiple developers,” FGIR noted.

A significant portion of the victim’s network included on-premise servers, Microsoft Exchange, and a segmented OT network. FGIR confirmed the adversary had established a foothold in the restricted OT network but found no conclusive evidence of a successful breach into OT systems.

“While new cyber tools often generate significant interest, a more critical concern is the widespread reliance on well-established tactics… Organizations can achieve greater security resilience by prioritizing defenses against these common attack methods,” FGIR concluded.

Related Posts:

• Kernel Modules and Malicious Commands: Anatomy of the sysinitd Rootkit
• Turla use backdoored Flash installer attacks against embassies in Eastern European countries
• New Agent Tesla Spyware Variant was spread via Microsoft Word documents
• Mint Sandstorm Campaign’s Targeted Cyber Attacks on Middle Eastern Experts