- Unit 42 found a website that falsified a known German modeling agency
- The site leads to JavaScript Offiado that exfiltrates the system information
- In the future, you could house malware or steal login credentials
Iranian computer pirates were discovered from a German modeling agency in an attempt to collect more information about the devices of their objectives.
This is according to a new report of Unit 42 of Palo Alto Networks, which also states that the complete functionality of the campaign, which could include the delivery of malware or the collection of credentials, has not yet been achieved.
Unit 42 says that by monitoring the infrastructure, they are probably linked to Iranian threat actors, the researchers found the domain “Megamodelstudio[.]Com. megamodelangency.comA legitimate modeling agency based in Hamburg, Germany.
Selective orientation
The two websites are apparently identical, but there are some key differences. The Malicious, for example, carries an obfuscated JavaScript designed to capture detailed information from visitors.
Unit 42 says that the script takes information about the languages and accessories of the browser, the screen resolution information, as well as the time marks, which allow the attackers to track the location and the environment of a visitor.
The script also reveals the user’s local and public IP address, take advantage of the dactillas of canvas and use SHA-256 to produce a hash unique for devices. Finally, it structures the data collected as JSON and delivers them to the end point /ADS /track through a subsequent application.
“The probable objective of the code is to allow selective orientation by determining enough specific details of devices and networks about visitors,” said Unit 42.
“This name convention suggests an attempt to disguise the collection as benign advertising traffic instead of storing and processing possible target fingerprints.”
Another key difference is that among the profile pages of different models, one is false. That page is currently not operational, but unit 42 speculates that it could be used in the future for more destructive attacks, release malware or steal login credentials.
The researchers concluded, “with high confidence”, that the Iranians are behind the attack. They are somewhat less safe about the exact group behind him, speculating that he could have been the work of Agent Serpens, also known as charming kitten or APT35.
