Microsoft seizes 41 domains tied to 'Iranian phishing ring'
Windows giant gets court order to take over dot-coms and more
Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India.
The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.
"Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."
At the end of May, a federal district court in eastern Virginia granted Microsoft an emergency temporary restraining order; this allowed the corporation to dismantle Bohrium's infrastructure by demanding US domain registries, such as Verisign and Donuts, transfer the domain names into Microsoft's control. It looks as though that seizure has completed as domains such as microsoftsync[dot]org named by Microsoft have been transferred to MarkMonitor on behalf of Redmond.
Microsoft claimed the miscreants used the web domains to commit computer fraud, steal account users' credentials, and infringe on Microsoft's trademarks, according to court filings [PDF] Hogan-Burney made public late last week:
Important work by the @Microsoft Digital Crimes Unit to share today. Our team has taken legal action to disrupt a spear-phishing operation linked to Bohrium, a threat actor from Iran. The court filings can be found here: https://t.co/jwZaRardcF
— Amy Hogan-Burney (@CyberAmyHB) June 2, 2022
Microsoft complained that Bohrium had not only misused the IT giant's trademarks in its phishing campaign to fool people into handing over their credentials but also sought to compromise computer systems run by Microsoft's customers. The crew also used the domains to set up command-and-control servers to manage malware installed on those computers.
Additionally, Bohrium corrupted "Microsoft's applications on victims' computers and Microsoft's servers, thereby using them to monitor the activities of users and steal information from them," according to the court filing.
- Microsoft-led move takes down ZLoader botnet domains
- Microsoft dogs Strontium domains to stop attacks on Ukraine
- Microsoft delays next Exchange Server release to 2025
- Iran, China-linked gangs join Putin's disinformation war online
The court order to take down the crime gang's infrastructure follows several similar legal maneuvers to disrupt networks used to attack Microsoft customers. Most recently, in April the US goliath announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang had been using to spread the remote-control malware and orchestrate infected machines.
The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take over the domains, which were then directed to a Microsoft-controlled sinkhole so they couldn't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.
That same month Redmond seized seven internet domains run by Russia-linked threat group Strontium, aka APT28 and FancyBear, which was using the infrastructure to target Ukrainian institutions as well as think tanks in the US and EU, apparently to support Russian's invasion of its neighbor.
Before the April seizures, Microsoft had used this process 15 times to take over more than 100 domains controlled by Strontium, which is thought to be run by the GRU, Russia's foreign military intelligence agency. ®
- Active Directory
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Palo Alto Networks
- Patch Tuesday
- Remote Access Trojan
- RSA Conference
- SQL Server
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360
- Zero trust