← threatfilter.dev / all groups / CURIUM
CURIUM
Also known as: Crimson Sandstorm · TA456 · Tortoise Shell · Yellow Liderc
Overview
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.
Targets
Civil society · Defense · Energy · Finance · Government · Healthcare · High-Tech · Legal · Media · Military · NGOs · Pharmaceuticals · Rail · Telecommunications · Transportation
Regions
Europe · Israel · Middle East · United States
TTPs — 19 techniques across 8 tactics
Reconnaissance
-
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1583.004Server -
T1584.006Web Services -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1608.004Drive-by Target
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment -
T1566.003Spearphishing via Service
Execution
-
T1059.001PowerShell -
T1204.002Malicious File
Persistence
-
T1505.003Web Shell
Discovery
-
T1082System Information Discovery -
T1124System Time Discovery
Collection
-
T1005Data from Local System
Exfiltration
Tools & malware (1)
IMAPLoader
Reporting (3)
- Yellow Liderc ships its scripts and delivers IMAPLoader malware — PwC Threat Intelligence
- How Microsoft names threat actors — Microsoft
- Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 — MSTIC