Iranian MOIS Actors & the Cyber Crime Connection

Key Takeaways

• Iranian MOIS-linked actors are actively engaging with the cybercrime ecosystem, moving beyond mere imitation to utilizing criminal tools and affiliate networks.
• Void Manticore (Handala) has been observed using the commercial infostealer Rhadamanthys in phishing campaigns targeting Israel.
• MuddyWater operations overlap with criminal malware clusters like the Tsundere Botnet (DinDoor) and CastleLoader (FakeSet), likely through shared code-signing certificates.
• Iranian actors utilized the Qilin Ransomware-as-a-Service (RaaS) to target the Israeli Shamir Medical Center, blending state objectives with criminal extortion tactics.

Affected Systems

• Windows
• Node.js
• Deno

Attack Chain

Iranian MOIS-linked actors initiate attacks using phishing lures, such as impersonating the Israeli National Cyber Directorate or F5 updates, to deliver commercial infostealers like Rhadamanthys. In other campaigns, actors utilize the Tsundere Botnet, executing malicious Node.js or Deno scripts (DinDoor) on compromised machines. They also deploy downloaders like FakeSet to deliver the CastleLoader Malware-as-a-Service. Finally, these actors have been observed acting as affiliates for the Qilin ransomware group, exfiltrating sensitive data and deploying ransomware to extort targets while masking their state-sponsored origins.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules (YARA, Sigma, etc.) are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are well-equipped to detect the execution of known infostealers (Rhadamanthys), unusual script executions (Node.js/Deno), and the presence of specific code-signing certificates. Network Visibility: Medium — Network monitoring can detect connections to known malicious IPs (e.g., the MuddyWater Wasabi server) and the use of tools like rclone for data exfiltration, though encrypted C2 traffic may require SSL inspection. Detection Difficulty: Moderate — While the malware families and certificates are known, the actors' use of commercial tools and RaaS platforms blends their activity with widespread cybercriminal noise, complicating attribution and targeted detection.

Required Log Sources

• Process Creation (Event ID 4688)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 7 (Image Loaded)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual execution of Node.js or Deno runtimes, especially spawning from suspicious parent processes or executing scripts from temporary directories.	Process execution logs (Sysmon Event ID 1)	Execution	Medium (Developers may legitimately use Node.js/Deno, requiring baseline filtering)
Search for binaries signed with the specific Common Names 'Amy Cherne' or 'Donald Gay' executing in the environment.	File creation and image load logs (Sysmon Event ID 7, EDR certificate telemetry)	Defense Evasion	Low (These specific certificates are highly correlated with malicious activity)
Monitor for the execution of the 'rclone' utility initiating outbound connections to cloud storage providers like Wasabi, particularly from non-administrative endpoints.	Process execution and network connection logs	Exfiltration	Medium (rclone is a legitimate tool, but its use on standard user endpoints is suspicious)

Control Gaps

• Lack of strict application control for script runtimes (Node.js/Deno)
• Insufficient monitoring of outbound data transfers to cloud storage (Wasabi)

Key Behavioral Indicators

• Binaries signed by 'Amy Cherne' or 'Donald Gay'
• Execution of Deno.exe or Node.exe in unusual contexts
• rclone connecting to Wasabi infrastructure

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block the provided IP address (18.223.24.218) and file hashes at the perimeter and endpoint levels.
• Revoke trust or block execution of any binaries signed by certificates with the Common Names 'Amy Cherne' or 'Donald Gay'.

Infrastructure Hardening

• Implement strict application control to prevent the unauthorized execution of script runtimes like Node.js and Deno.
• Restrict and monitor outbound connections to cloud storage services (e.g., Wasabi) to prevent data exfiltration via tools like rclone.

User Protection

• Deploy advanced email filtering to detect and block phishing lures impersonating government entities or software updates (e.g., INCD, F5).
• Ensure EDR agents are actively monitoring for infostealer behavior and ransomware precursors.

Security Awareness

• Train employees to recognize sophisticated phishing attempts, particularly those using localized themes or impersonating trusted authorities.
• Educate the security team on the overlapping TTPs between state-sponsored actors and cybercriminal syndicates.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1588.002 - Obtain Capabilities: Tool
• T1588.003 - Obtain Capabilities: Code Signing Certificates
• T1486 - Data Encrypted for Impact
• T1048 - Exfiltration Over Alternative Protocol

Additional IOCs

• Ips:
  • 18[.]223[.]24[.]218 - IP address associated with MuddyWater Wasabi server access
• File Hashes:
  • aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f (sha256) - Handala Rhadmanthys Variant
  • eb5e96e05129e5691f9677be4e396c88 (md5) - Hash linked to MuddyWater IP 18.223.24.218
  • 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 (sha256) - FakeSet / CastleLoader signed by Amy Cherne
  • 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb (sha256) - FakeSet / CastleLoader signed by Donald Gay
  • a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b (sha256) - FakeSet / CastleLoader signed by Donald Gay
  • 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 (sha256) - StageComp signed by Donald Gay
  • a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 (sha256) - StageComp signed by Donald Gay
  • 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 (sha256) - DinDoor / Tsundere Deno signed by Amy Cherne
• Other:
  • Amy Cherne - Certificate Common Name used to sign FakeSet and DinDoor malware
  • Donald Gay - Certificate Common Name used to sign FakeSet and StageComp malware
  • 0902d7915a19975817ec1ccb0f2f6714aed19638 - Certificate Thumbprint for Amy Cherne
  • 2087bb914327e937ea6e77fe6c832576338c2af8 - Certificate Thumbprint for Amy Cherne
  • 21a435ecaa7b86efbec7f6fb61fcda3da686125c - Certificate Thumbprint for Amy Cherne
  • 389b12da259a23fa4559eb1d97198120f2a722fe - Certificate Thumbprint for Amy Cherne
  • 579a4584a6eef0a2453841453221d0fb25c08c89 - Certificate Thumbprint for Amy Cherne
  • d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 - Certificate Thumbprint for Amy Cherne
  • f8444dfc740b94227ab9b2e757b8f8f1fa49362a - Certificate Thumbprint for Donald Gay
  • 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d - Certificate Thumbprint for Donald Gay
  • b674578d4bdb24cd58bf2dc884eaa658b7aa250c - Certificate Thumbprint for Donald Gay
  • 551bdf646df8e9abe04483882650a8ffae43cb55 - Certificate Thumbprint for Amy Cherne