Microsoft seizes 41 domains tied to 'Iranian phishing ring'

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

"Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

At the end of May, a federal district court in eastern Virginia granted Microsoft an emergency temporary restraining order; this allowed the corporation to dismantle Bohrium's infrastructure by demanding US domain registries, such as Verisign and Donuts, transfer the domain names into Microsoft's control. It looks as though that seizure has completed as domains such as microsoftsync[dot]org named by Microsoft have been transferred to MarkMonitor on behalf of Redmond.

Microsoft claimed the miscreants used the web domains to commit computer fraud, steal account users' credentials, and infringe on Microsoft's trademarks, according to court filings [PDF] Hogan-Burney made public late last week:

Important work by the @Microsoft Digital Crimes Unit to share today. Our team has taken legal action to disrupt a spear-phishing operation linked to Bohrium, a threat actor from Iran. The court filings can be found here: https://t.co/jwZaRardcF

— Amy Hogan-Burney (@CyberAmyHB) June 2, 2022

Microsoft complained that Bohrium had not only misused the IT giant's trademarks in its phishing campaign to fool people into handing over their credentials but also sought to compromise computer systems run by Microsoft's customers. The crew also used the domains to set up command-and-control servers to manage malware installed on those computers.

Additionally, Bohrium corrupted "Microsoft's applications on victims' computers and Microsoft's servers, thereby using them to monitor the activities of users and steal information from them," according to the court filing.

• Microsoft-led move takes down ZLoader botnet domains
• Microsoft dogs Strontium domains to stop attacks on Ukraine
• Microsoft delays next Exchange Server release to 2025
• Iran, China-linked gangs join Putin's disinformation war online

The court order to take down the crime gang's infrastructure follows several similar legal maneuvers to disrupt networks used to attack Microsoft customers. Most recently, in April the US goliath announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang had been using to spread the remote-control malware and orchestrate infected machines.

The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take over the domains, which were then directed to a Microsoft-controlled sinkhole so they couldn't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.

That same month Redmond seized seven internet domains run by Russia-linked threat group Strontium, aka APT28 and FancyBear, which was using the infrastructure to target Ukrainian institutions as well as think tanks in the US and EU, apparently to support Russian's invasion of its neighbor.

Before the April seizures, Microsoft had used this process 15 times to take over more than 100 domains controlled by Strontium, which is thought to be run by the GRU, Russia's foreign military intelligence agency. ®