- Unit 42 found a website spoofing a known German modelling agency
- The site carries obfuscated JavaScript which exfiltrates system information
- In the future, it could host malware or steal login credentials
Iranian hackers were found spoofing a German modelling agency in an attempt to gather more information about their targets’ devices.
This is according to a new report from Palo Alto Networks’ Unit 42, which also claims that full functionality of the campaign, which could include malware delivery or credential harvesting, has not yet been achieved.
Unit 42 says that while monitoring infrastructure they believe are likely tied to Iranian threat actors, the researchers found the domain “Megamodelstudio[.]com”. After browsing through the site a little, they determined it was a spoofed version of megamodelagency.com, a legitimate modelling agency based in Hamburg, Germany.
Selective targeting
The two websites are seemingly identical, but there are a few key differences. The malicious one, for example, carries an obfuscated JavaScript designed to capture detailed visitor information.
Unit 42 says the script grabs information about browser languages and plugins, screen resolution information, as well as timestamps, which allow the attackers to track a visitor’s location and environment.
The script also reveals the user’s local and public IP address, leverages canvas fingerprinting, and uses SHA-256 to produce a device-unique hash. Finally, it structures the collected data as JSON and delivers it to the endpoint /ads/track via a POST request.
“The likely goal of the code is to enable selective targeting by determining sufficient device- and network-specific details about visitors,” Unit 42 said.
“This naming convention suggests an attempt to disguise the collection as benign advertising traffic rather than storing and processing potential target fingerprints.”
Another key difference is that among profile pages of different models, one is fake. That page is currently not operational, but Unit 42 speculates it could be used in the future for more destructive attacks, dropping malware or stealing login credentials.
The researchers concluded, “with high confidence”, that the Iranians are behind the attack. They’re somewhat less confident about the exact group behind it, speculating that it might have been the work of Agent Serpens, also known as Charming Kitten, or APT35.
Leave a comment