ETDA ThaiCERT
Report
Search
Home > List all groups > Sima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Sima

NamesSima (Amnesty International)
CountryIran Iran
MotivationInformation theft and espionage
First seen2016
DescriptionIn February 2016, Iran­focused individuals received messages purporting to be from Human RightsWatch’s (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghan refugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English­language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right­to­left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.
ObservedCountries: This group targets Iranians in diaspora.
Tools usedLuminosity RAT, Sima.
Information<https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Silence, Contract Crew
Next: Slingshot

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key