CRESCENTHARVEST: Exploiting Iran’s Unrest to Deploy Advanced Malware
In the wake of escalating protests in Iran, a sophisticated cyberespionage campaign named ‘CRESCENTHARVEST’ has emerged, targeting dissidents and supporters of the opposition movement. This operation employs advanced social engineering techniques to deploy malware that functions both as a remote access trojan (RAT) and an information stealer, aiming to infiltrate and monitor individuals sympathetic to the protests.
Infection Mechanism
The attack initiates with the distribution of archive files containing seemingly authentic media and reports related to the ongoing protests. Within these archives, victims encounter malicious shortcut (.LNK) files disguised as legitimate video or image files, such as `VID_20260114_000556_609.mp4.lnk`. When executed, these shortcuts trigger a concealed sequence that deploys the malware payload while simultaneously displaying the expected decoy content to avoid raising suspicion.
This method effectively bypasses initial scrutiny by blending malicious indicators with genuine Farsi-language documents, increasing the likelihood of successful infection.
Technical Execution
Acronis analysts have identified that the malware employs a technique known as DLL sideloading, utilizing a signed Google executable, `software_reporter_tool.exe`, to load malicious libraries. This approach allows the attackers to execute commands, capture keystrokes, and exfiltrate critical data such as browser credentials and Telegram session files.
The campaign’s primary objective appears to be long-term surveillance and intelligence gathering on individuals sympathetic to the opposition movement. The operational sophistication suggests a well-resourced adversary, likely aligned with Iranian state interests. By embedding the malware within a context that resonates emotionally with the target audience, the attackers increase the likelihood of successful infection.
Bypassing App-Bound Encryption
A distinct technical feature of CRESCENTHARVEST is its specific module designed to evade Chrome’s App-Bound Encryption. The malicious DLL, identified as `urtcbased140d_d.dll`, functions as a specialized implant that interacts directly with the browser’s internal COM interfaces to facilitate theft. Instead of merely copying files, it constructs a browser context structure to legitimately request decryption services from the operating system, bypassing standard protection mechanisms.
The module locates the `Local State` file within the user’s AppData directory to extract the encrypted key. It then utilizes the `CoCreateInstance` function to instantiate an elevated COM broker, effectively tricking the system into decrypting the key. Once decrypted, this sensitive information is exfiltrated via a named pipe to the main backdoor module, allowing the attackers to unlock and steal saved login credentials, cookies, and history.
Mitigation Strategies
To mitigate such threats, experts recommend that users employ hardware security modules (HSMs) or secure enclaves to protect sensitive data. Additionally, implementing strict access controls and monitoring for unusual activities can help detect and prevent unauthorized access. Regularly updating software and educating users about the risks of opening unsolicited files are also crucial steps in defending against such sophisticated attacks.
