- Device 42 found a site that falsified a known German modeling agency
- The site carries the veiled javascript that exfiltrating system information
- In the future it may host malware or steal login -legitimation information
Iranian hackers were found that forged a German modeling agency in an attempt to collect more information about their target units.
This is, according to a new report from Palo Alto Networks’ Unit 42, which also claims that the full functionality of the campaign, which may include malware delivery or identification harvest, has not yet been obtained.
Unit 42 says that under the monitoring of infrastructure, which they believe is likely to be tied to Iranian threat players, the researchers found the domain “Megammodelstudio[.]com ”. After searching a little through the place, they decided that it was a counterfeit version of megamodelagency.comA legitimate modeling agency based in Hamburg, Germany.
Selective targeting
The two sites are apparently identical, but there are a few key differences. The malicious, for example, carries a veiled JavaScript designed to capture detailed visitors information.
Device 42 says the manuscript grabs information on browser languages and plugins, information about screen resolution, and timestamps that allow attackers to track a visiting location and environment.
The script also reveals the user’s local and public IP address, utilizes canvas fingerprints and uses SHA-256 to produce a Device Union Hash. Finally, it structures the data collected like JSON and delivers them to the endpoint /ads /track via a postal maturity.
“The probable goal of the code is to enable selective targeting by determining sufficient device and network-specific details of visitors,” Unit 42 said.
“This name Convention suggests an attempt to hide the collection as benign advertising traffic rather than storing and treating potential target fingerprints.”
Another important difference is that one of the profile pages of different models is a false. This page is not currently operational, but unit 42 speculates that it could be used in the future for more destructive attacks, dropping malware or stealing login credentials.
The researchers concluded, “with great confidence” that the Iranians are behind the attack. They are a little less confident in the exact group behind what speculates that it could have been the work of agent Serpens, also known as the Charming Kitten or APT35.
