- Unit 42 found a website usurped a known German modeling agency
- The site wears obscured javascript which exfiltrates system information
- In the future, it could host malware or steal connection identification information
Iranian pirates have been found usurrating a German modeling agency in order to collect more information on the devices of their targets.
This is in accordance with a new report by Palo Alto Networks Unit 42, which also claims that full campaign functionality, which could include the delivery of malware or the identification harvest, has not yet been carried out.
Unit 42 says that, even if infrastructure monitoring, they believe that Iranian threat actors are probably linked, researchers have found the “Megamodelstudio[.]com ”. After having traveled the site a little, they determined that it was a usurped version of megamodelagency.comA legitimate modeling agency based in Hamburg, Germany.
Selective targeting
The two websites are apparently identical, but there are some key differences. The maliciousness, for example, carries an obscured JavaScript designed to capture detailed information on visitors.
Unit 42 indicates that the script enters information on the languages and plugins of the browser, screen resolution information, as well as horodatages, which allow attackers to follow the location and the environment of a visitor.
The script also reveals the local and public IP address of the user, operates the fingerprints on canvas and uses Sha-256 to product a device. Finally, it structures the data collected in the form of JSON and the books at the end point / ADS / Track via a post request.
“The likely objective of the code is to allow selective targeting by determining enough specific details to the device and the network on visitors,” said unit 42.
“This denomination agreement suggests an attempt to disguise the collection as benign advertising traffic rather than storing and treating potential target fingerprints.”
Another key difference is that among the profile pages of different models, we are false. This page is currently not operational, but unit 42 speculates that it could be used in the future for more destructive attacks, the deletion of malware or the connection identification flight.
The researchers concluded: “With great confidence”, that the Iranians are behind the attack. They are a little less confident with regard to the exact group behind, speculating that it was the work of agent Serpens, also known as Charming Kitten, or APT35.
